[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS client certs, SASL EXTERNAL

To: hyc@highlandsun.com
Subject: Re: TLS client certs, SASL EXTERNAL
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Sat, 26 Jan 2002 15:54:57 +0100 (MET)
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <005901c1a66f$ad708e20$1001a8c0@fiddle.symas.com> from Howard Chu at Jan "26," 2002 "05:45:12" am

> After testing my recent changes to sasl.c/saslauthz.c, I noticed a slight
> problem with SASL EXTERNAL. Currently the LDAP library can be configured to
> require client certs or ignore client certs on a TLS connection. If SASL
> EXTERNAL is desired on a TLS session, a certificate must be provided. With the
> current code, the server only asks for the client cert if certs are required
> (TLSVerifyClient is On). When TLSVerifyClient is in its default (Off) state,
> the server never asks the client for a cert, and so SASL EXTERNAL can never
> succeed. It seems to me that we need a middle "client cert is optional" state
> in here, so that the server can ask for a client cert but will not complain if
> none is available. Or we can just change the default state to "always ask for
> optional client cert" for simplicity. Opinions, anyone?

I'd prefer to have a third option (say "ASK", or "no" "yes" "critical"
for consistency with the tls options), to allow more fine grain
configuration.  I wonder what solution breaks the least number
of installations :)

Ando

Follow-Ups:
- RE: TLS client certs, SASL EXTERNAL
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- TLS client certs, SASL EXTERNAL
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: TLS client certs, SASL EXTERNAL
Next by Date: Re: test002: TLS required?
Index(es):
- Chronological
- Thread