[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS client certs, SASL EXTERNAL

> After testing my recent changes to sasl.c/saslauthz.c, I noticed a slight
> problem with SASL EXTERNAL. Currently the LDAP library can be configured to
> require client certs or ignore client certs on a TLS connection. If SASL
> EXTERNAL is desired on a TLS session, a certificate must be provided. With the
> current code, the server only asks for the client cert if certs are required
> (TLSVerifyClient is On). When TLSVerifyClient is in its default (Off) state,
> the server never asks the client for a cert, and so SASL EXTERNAL can never
> succeed. It seems to me that we need a middle "client cert is optional" state
> in here, so that the server can ask for a client cert but will not complain if
> none is available. Or we can just change the default state to "always ask for
> optional client cert" for simplicity. Opinions, anyone?

I'd prefer to have a third option (say "ASK", or "no" "yes" "critical"
for consistency with the tls options), to allow more fine grain
configuration.  I wonder what solution breaks the least number
of installations :)