Re: ssl negotiation and openldap

[Howard Chu <hyc@symas.com>]

Brett @Google wrote:
> Hello,
>
> I've recently had issues with a 3rd party java client using jdk 1.4.x, trying
> to connect with ldaps:// to openldap 2.4.26, compiled with OpenSSL 1.0.0d
>
> It would appear that the client's jdk 1.4.x has a few harsh restrictions with
> regard to modulus size in certiicates, even with all unrestricted "export"
> policies installed.
>
> So i was wondering a few things :
>
> 1. does openldap do anything with the CA certs, other than verify local or
> remote certiticates, such as sending them over the ssl connection  ?

OpenLDAP doesn't do *anything* with certs. The backing TLS library does. What 
the TLS library does is the same thing it does for any TLS session, be it 
https, smtps, or whatever.

> 2. it's my understanding that in SSL negotiation, only server or client
> certiticates are exchanged, and ca certs's are not sent over the wire
>     (as IMHO it would literally bet a "trust" issue to do otherwise :).

I suggest you run ldapsearch -d7 and see exactly what happens.

> 3. other than providing certificates / keys to the openssl API, is there
> anything special that happens other than hand off to stock openssl negotiation ?

No.
> Trying to work out what is being sent to the client to trigger a "modulus
> size" error on the client, other than clients inherent badness which i cannot
> control :)

JDK 1.4? Good luck.

> If 3. is no, then i'm open to any suggestions with regard to interesting or
> useful SSL negotiation documents out there, that might shed some light.
>
> Cheers
> Brett
>
> --
> *The only thing that interferes with my learning is my education.*
> *
> Albert Einstein*


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/