[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssl negotiation and openldap

Brett @Google wrote:

I've recently had issues with a 3rd party java client using jdk 1.4.x, trying
to connect with ldaps:// to openldap 2.4.26, compiled with OpenSSL 1.0.0d

It would appear that the client's jdk 1.4.x has a few harsh restrictions with
regard to modulus size in certiicates, even with all unrestricted "export"
policies installed.

So i was wondering a few things :

1. does openldap do anything with the CA certs, other than verify local or
remote certiticates, such as sending them over the ssl connection  ?

OpenLDAP doesn't do *anything* with certs. The backing TLS library does. What the TLS library does is the same thing it does for any TLS session, be it https, smtps, or whatever.

2. it's my understanding that in SSL negotiation, only server or client
certiticates are exchanged, and ca certs's are not sent over the wire
    (as IMHO it would literally bet a "trust" issue to do otherwise :).

I suggest you run ldapsearch -d7 and see exactly what happens.

3. other than providing certificates / keys to the openssl API, is there
anything special that happens other than hand off to stock openssl negotiation ?


Trying to work out what is being sent to the client to trigger a "modulus
size" error on the client, other than clients inherent badness which i cannot
control :)

JDK 1.4? Good luck.

If 3. is no, then i'm open to any suggestions with regard to interesting or
useful SSL negotiation documents out there, that might shed some light.


*The only thing that interferes with my learning is my education.*
Albert Einstein*

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/