[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS_REQCERT and no server certificate

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: TLS_REQCERT and no server certificate
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 12 Nov 2013 11:34:07 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0

Hello,

quoting ldap.conf(5):

TLS_REQCERT <level>
...
   try    The  server  certificate  is  requested. If no certificate is
provided, the session proceeds normally. If a bad certificate is provided, the
session is immediately terminated.
...

I'd like to try the "If no certificate is provided" part, but can't manage to do
so. I tried configuring the server to
1) not use any CA certificate or server certificate,
2) only use the CA certificate without any server certificate,
3) specify CA certificate dir with no certs in it,
4) specify CA certificate dir with a valid CA cert and no server certs.

In any case, the client (ldapsearch) doesn't even connect to the server, stating
either "SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" or simply failing
to connect with "Can't contact LDAP server (-1)". The server is listening on
ldap and ldaps. I tested this using both ldaps and StartTLS.

That leads me to a conclusion that what I'm trying to achieve is not achievable
and that the manpage should be changed.

Is the manpage wrong or is there any other way I can test the client with no
server certificate provided?

Cheers,
-- 
Jan Synacek
Software Engineer, Red Hat

Follow-Ups:
- Re: TLS_REQCERT and no server certificate
  - From: Todd Lyons <tlyons@ivenue.com>
- Re: TLS_REQCERT and no server certificate
  - From: Todd Lyons <tlyons@ivenue.com>
- Re: TLS_REQCERT and no server certificate
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

Prev by Date: RE: openldap syncrepl issue
Next by Date: Re: TLS_REQCERT and no server certificate
Index(es):
- Chronological
- Thread