[Date Prev][Date Next]
ssl negotiation and openldap
- To: openldap-technical <email@example.com>
- Subject: ssl negotiation and openldap
- From: "Brett @Google" <firstname.lastname@example.org>
- Date: Thu, 1 Mar 2012 13:45:32 +1000
- Authentication-results: mr.google.com; spf=pass (google.com: domain of email@example.com designates 10.14.100.142 as permitted sender) firstname.lastname@example.org; dkim=pass email@example.com
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=XcWVy2/0Gh3Vz41SecotntK9XcThGYWR+NkUhIbGdqg=; b=Y/GUy6Y4pvrW+ADBZUqAHqDeUDEPLbCNThQGXZxj1764G5URHjef+aXgV8pZUDPh/L 03Dlt2mF31RB1pfSZP6thTj8il6xBhyiVBgXpUM0i18IzsZIV6r5I2xmQSygfxUystuC Kme+4ymtM2kGrqjBYUSguMJ0UmEm9jFgnn/nw=
I've recently had issues with a 3rd party java client using jdk 1.4.x, trying to connect with ldaps:// to openldap 2.4.26, compiled with OpenSSL 1.0.0d
It would appear that the client's jdk 1.4.x has a few harsh restrictions with regard to modulus size in certiicates, even with all unrestricted "export" policies installed.
So i was wondering a few things :
1. does openldap do anything with the CA certs, other than verify local or remote certiticates, such as sending them over the ssl connection ?
2. it's my understanding that in SSL negotiation, only server or client certiticates are exchanged, and ca certs's are not sent over the wire
(as IMHO it would literally bet a "trust" issue to do otherwise :).
3. other than providing certificates / keys to the openssl API, is there anything special that happens other than hand off to stock openssl negotiation ?
Trying to work out what is being sent to the client to trigger a "modulus size" error on the client, other than clients inherent badness which i cannot control :)
If 3. is no, then i'm open to any suggestions with regard to interesting or useful SSL negotiation documents out there, that might shed some light.
The only thing that interferes with my learning is my education.