[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS client certs, SASL EXTERNAL

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> >OK, I agree with that. I'm actually looking at 4 options now:
> >        no/never - same as old default, the server never asks for a
> client cert.
> >        allow - server asks. If a bad cert is received, ignore it.

> I'm not sure this about this one, that behavior might be
> counter to the specs (though I haven't checked).  Anyways,
> I think the client should be told its cert is bad.  Also,
> as some clients blindly go on, killing the connection is a
> good here.  However, as long as appropriate security
> considerations are noted in the documentation, I can live
> with it.

OK, the current code will send a TLS warning alert to the client indicating a
bad cert. (Whether the client actually sees or does anything with it is
anyone's guess. You need at least Trace level debug to see it with our client
library.) As for security considerations, it degenerates to the case of no cert
provided at all, same as the current default. In this case, you still get
privacy for the session, even if you don't get PKI-based authentication.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support