[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS options in 2.0.6 and HEAD

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Gerald Carter

> Folks,
> As I read the slapd code, it appears that
>   o TLSVerifyClient is broken in 2.0.6 (at least the config file
>     reading for it is). This appears to be fixed in HEAD, correct?

>   o I am a little unclear of the use of TLSCACertificatePath
>     and TLSCACertificateFile.  I assume that these are for 
>     specifying a CA used to verify the slapd server's certificate 
>     in the case where it is not self-signed.  Can someone briefly
>     explain the difference between the Dir and Path?  The 
>     documentation on SSL_CTX_load_verify_locations() seems 
>     to be a little sparse.  Do these work in 2.0.6?

A PEM file can contain multiple certificates. If you have all of your CA
certs in one file, you only need to use the TLSCACertificateFile directive.
Alternatively, you can keep your CA certs in one file per cert. Then you
must use the TLSCACertificatePath directive to tell where the files reside.
The CA certs are not only the ones that verified your server's cert, but
are also the only CAs that your server will accept from a client. I.e., if
you are using client certificate verification, the CA that generated the
client cert must be one of the CAs that your server has represented in
its TLSCACertificateFile or TLSCACertificatePath.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc