[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: client (non) verification of server SSL certs

To: "Howard Chu" <hyc@highlandsun.com>
Subject: Re: client (non) verification of server SSL certs
From: John Morris <openldap@butchwax.com>
Date: 21 Oct 2002 02:38:42 +0800
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <022301c27863$ca0780e0$0e01a8c0@CELLO>
References: <022301c27863$ca0780e0$0e01a8c0@CELLO>
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2

Ahh, yes, I'm on 2.0.23, that's important.  I need to upgrade, if only
for new docs; TLS_REQCERT isn't mentioned at all in the man page.

I very much appreciate the tip.  You'd think after three months of
reading this list I'd realize the importance of using something newer
than the standard RedHat 7.3 RPM.  :P

        John


"Howard Chu" <hyc@highlandsun.com> writes:

> You didn't mention which version of OpenLDAP you're using. Recent versions
> have cert verification enabled by default, but older versions don't. You can
> explicitly set this using TLS_REQCERT (all 2.x.y versions) in
> /etc/openldap/ldap.conf. See the ldap.conf(5) man page.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Morris
> > Sent: Sunday, October 20, 2002 10:12 AM
> > To: openldap-software@OpenLDAP.org
> > Subject: client (non) verification of server SSL certs
> >
> >
> > Howdy!
> >
> > I've successfully set up a slapd with SSL/TLS, both are working.  I've
> > been using the openldap tools and GQ to query it, no problem.
> >
> > The strange thing about it is that I created the CA on the slapd host
> > machine.  I deliberately didn't tell my separate client machine about
> > the CA (ie. in my RedHat /usr/share/ssl/cert.pem file there's no
> > mention of the CA I created on the slapd host).  However, the clients,
> > both ldapsearch and GQ, don't seem to mind that they're talking to a
> > server using certs that can't be verified!
> >
> > Reading through the SSL-related posts from the last several months, it
> > appears that the 'TLS_CACERT' variable in the /etc/openldap/ldap.conf
> > file should point to my /usr/share/ssl/cert.pem file, but setting or
> > not setting this makes no difference.
> >
> > How do I control this behavior to ensure the client verifies the
> > servers certificates before continuing with the ldap query?
> >
> > Thanks for your help!
> >
> >         John
> >
> > --
> > John Morris
> > +852-9777-5286
> >
> >
> 

-- 
John Morris
+852-9777-5286

References:
- RE: client (non) verification of server SSL certs
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: client (non) verification of server SSL certs
Next by Date: Re: simple bind and crypt hash
Index(es):
- Chronological
- Thread