[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7856) TLS_REQCERT try is same as TLS_REQCERT hard?

To: openldap-its@OpenLDAP.org
Subject: (ITS#7856) TLS_REQCERT try is same as TLS_REQCERT hard?
From: pguenther@proofpoint.com
Date: Fri, 16 May 2014 07:11:29 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Philip Guenther
Version: 2.4.39
OS: OpenBSD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.253.0.176)


The ldap.conf(5) manpage says this about TLS_REQCERT
       TLS_REQCERT <level>
              Specifies what checks to perform on server certificates in a TLS
              session, if any. The <level> can be specified as one of the
              following keywords:
...

              try    The server certificate is requested. If no certificate is
                     provided, the session proceeds normally. If a bad
                     certificate is provided, the session is immediately
                     terminated.

              demand | hard
                     These keywords are equivalent. The server certificate is
                     requested. If no certificate is provided, or a bad
                     certificate is provided, the session is immediately
                     terminated. This is the default setting.


In testing, I can find no difference in behavior between the 'try' and 'hard'
keywords.  For the ldap* tools, both 'try' and 'hard' seem to place the same
requirements on the server.  What does "if no certificate is provided" *mean* in
terms of server and/or client configuration?

Prev by Date: Re: (ITS#7705) mdb back-end segfaults sporadically with paged searches
Next by Date: Re: (ITS#7844) LMDB Delete Cursor inconsistencies
Index(es):
- Chronological
- Thread