[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS_REQCERT and no server certificate

To: Jan Synacek <jsynacek@redhat.com>
Subject: Re: TLS_REQCERT and no server certificate
From: Todd Lyons <tlyons@ivenue.com>
Date: Tue, 12 Nov 2013 05:23:42 -0800
Authentication-results: lunar.ivenue.com; dmarc=none header.from=ivenue.com
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-filter: OpenDKIM Filter v2.8.4 lunar.ivenue.com rACDNgsI015364
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ivenue.com; s=dk2; t=1384262634; bh=rIpanY/9ZuzDqlDY+1xpaIstktMbAPPgTQtQKfLd3HY=; h=In-Reply-To:References:Date:Subject:From:To:Cc; z=In-Reply-To:=20<5282041F.20801@redhat.com>|References:=20<5282041 F.20801@redhat.com>|Date:=20Tue,=2012=20Nov=202013=2005:23:42=20-0 800|Subject:=20Re:=20TLS_REQCERT=20and=20no=20server=20certificate |From:=20Todd=20Lyons=20<tlyons@ivenue.com>|To:=20Jan=20Synacek=20 <jsynacek@redhat.com>|Cc:=20"openldap-technical@openldap.org"=20<o penldap-technical@openldap.org>; b=gYaHxGUnN6zc2VlNEbhTQlbambD65Sr38IglRgO+bJXvUTsimx0p1A79wldHM3pMd t2GYfWauqmzZZFIfDfCQ55Nt+bJxhWTTal3S2vaEfD6bj2oAkurbmCX2qHijX+IypZ NBV4WUKsC5xKqLh0B10AYLwSIoohzVpLXTs+B4rY=
In-reply-to: <5282041F.20801@redhat.com>
References: <5282041F.20801@redhat.com>

On Tue, Nov 12, 2013 at 2:34 AM, Jan Synacek <jsynacek@redhat.com> wrote:
> TLS_REQCERT <level>
> ...
>    try    The  server  certificate  is  requested. If no certificate is
> provided, the session proceeds normally. If a bad certificate is provided, the
> session is immediately terminated.
> Is the manpage wrong or is there any other way I can test the client with no
> server certificate provided?

While troubleshooting an LDAP issue, I stumbled across an IRC log or
mailing list comment (can't remember exactly) which basically said
that try == hard and the manpage was inaccurate to say anything else
(paraphrased).  I have not perused the openldap server or client code
to verify the accuracy of that statement, but the comment (and your
results) matches my experience when troubleshooting.

...Todd
-- 
The total budget at all receivers for solving senders' problems is $0.
 If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

References:
- TLS_REQCERT and no server certificate
  - From: Jan Synacek <jsynacek@redhat.com>

Prev by Date: TLS_REQCERT and no server certificate
Next by Date: Re: TLS_REQCERT and no server certificate
Index(es):
- Chronological
- Thread