[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#8374) LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and STARTTLS

Ok, retested with latest code built from source.

I also reconfirmed using a publicly available openldap server, to make sure it isn't something stupid I am doing locally. 

So you can reproduce easily, the test pseudo code is:

ldap_initialize (ldaps://ldap.andrew.cmu.edu)
ldap_set_option LDAP_OPT_X_TLS_REQUIRE_CERT (enumerate options)

ldap_initialize (ldap://
ldap_set_option LDAP_OPT_X_TLS_REQUIRE_CERT (enumerate options)

The results are:

Server with valid certificate, all values of LDAP_OPT_X_TLS_REQUIRE_CERT for both ldaps and ldap+starttls connect. This is what  I would expect.

Server with invalid certificate (IP does not match the cert FQDN), only NEVER and ALLOW values of LDAP_OPT_X_TLS_REQUIRE_CERT succeed for ldaps (this is what  I would expect) however all values of LDAP_OPT_X_TLS_REQUIRE_CERT for ldap+starttls succeed, which is not what I would expect: I think that the certificate check should fail the connection, as per the ldaps behaviour.