[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7856) TLS_REQCERT try is same as TLS_REQCERT hard?
Full_Name: Philip Guenther
Version: 2.4.39
OS: OpenBSD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.253.0.176)
The ldap.conf(5) manpage says this about TLS_REQCERT
TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS
session, if any. The <level> can be specified as one of the
following keywords:
...
try The server certificate is requested. If no certificate is
provided, the session proceeds normally. If a bad
certificate is provided, the session is immediately
terminated.
demand | hard
These keywords are equivalent. The server certificate is
requested. If no certificate is provided, or a bad
certificate is provided, the session is immediately
terminated. This is the default setting.
In testing, I can find no difference in behavior between the 'try' and 'hard'
keywords. For the ldap* tools, both 'try' and 'hard' seem to place the same
requirements on the server. What does "if no certificate is provided" *mean* in
terms of server and/or client configuration?