Re: Antw: Re: TLS_REQCERT and no server certificate

[Philip Guenther <guenther+ldaptech@sendmail.com>]

On Wed, 13 Nov 2013, Ulrich Windl wrote:
> "It doesn't do cert chain checking so it will accept self-signed certs."
> 
> Even if it does cert chain checking, a self-signed certificate will be 
> accepted!  What are you saying?

His use of the phrase "cert chain checking" was misleading.

With 'allow', the ldap client library doesn't care whether the cert's 
signature can be validated back to a known-and-trusted root CA.


(If you copied the self-signed cert into the client's trusted CA file or 
directory, then you might be able to use 'TLS_REQCERT demand' and be 
secure from MitM attacks.)


Philip Guenther