[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS client certs, SASL EXTERNAL

After testing my recent changes to sasl.c/saslauthz.c, I noticed a slight
problem with SASL EXTERNAL. Currently the LDAP library can be configured to
require client certs or ignore client certs on a TLS connection. If SASL
EXTERNAL is desired on a TLS session, a certificate must be provided. With the
current code, the server only asks for the client cert if certs are required
(TLSVerifyClient is On). When TLSVerifyClient is in its default (Off) state,
the server never asks the client for a cert, and so SASL EXTERNAL can never
succeed. It seems to me that we need a middle "client cert is optional" state
in here, so that the server can ask for a client cert but will not complain if
none is available. Or we can just change the default state to "always ask for
optional client cert" for simplicity. Opinions, anyone?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support