[Date Prev][Date Next]
Re: Antw: Re: TLS_REQCERT and no server certificate
On Wed, 13 Nov 2013, Ulrich Windl wrote:
> >>> Philip Guenther <firstname.lastname@example.org> schrieb am 12.11.2013 um 16:37
> in Nachricht <alpine.BSO.email@example.com>:
> > On Tue, 12 Nov 2013, Jan Synacek wrote:
> >> quoting ldap.conf(5):
> >> TLS_REQCERT <level>
> >> ...
> >> try The server certificate is requested. If no certificate is
> >> provided, the session proceeds normally.
> Maybe that should read "... If no VALID certificate is..."
I can't tell whether you're claiming that's how the code
* _does_ behave, and you've tested it
* _does_ behave, but you haven't tested it, OR
* _should_ behave, in your opinion.
> > Almost all TLS cipher suites, including the most deployed ones,
> > require the server to have a certificate, period. If you look at the
> > output of
> Yes, but the certificate could be expired or mismatching the host, etc.
I see no guarantee from OpenLDAP docs or code or OpenSSL docs or code that
such a setup would not fail immediately. I'm not going to bother checking
because such a setup would be be insecure and a waste of resources.
"What problem are you trying to solve?"