[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7856) TLS_REQCERT try is same as TLS_REQCERT hard?
On 05/16/2014 09:11 AM, pguenther@proofpoint.com wrote:
> Full_Name: Philip Guenther
> Version: 2.4.39
> OS: OpenBSD
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (76.253.0.176)
>
>
> The ldap.conf(5) manpage says this about TLS_REQCERT
> TLS_REQCERT <level>
> Specifies what checks to perform on server certificates in a TLS
> session, if any. The <level> can be specified as one of the
> following keywords:
> ...
>
> try The server certificate is requested. If no certificate is
> provided, the session proceeds normally. If a bad
> certificate is provided, the session is immediately
> terminated.
>
> demand | hard
> These keywords are equivalent. The server certificate is
> requested. If no certificate is provided, or a bad
> certificate is provided, the session is immediately
> terminated. This is the default setting.
>
>
> In testing, I can find no difference in behavior between the 'try' and 'hard'
> keywords. For the ldap* tools, both 'try' and 'hard' seem to place the same
> requirements on the server. What does "if no certificate is provided" *mean* in
> terms of server and/or client configuration?
>
See ITS#7744.
--
Jan Synacek
Software Engineer, Red Hat