[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: TLS_REQCERT and no server certificate

On Wed, 13 Nov 2013, Ulrich Windl wrote:

> >>> Philip Guenther <guenther+ldaptech@sendmail.com> schrieb am 12.11.2013 um 16:37
> in Nachricht <alpine.BSO.2.11.1311120655310.19673@morgaine.local>:
> > On Tue, 12 Nov 2013, Jan Synacek wrote:
> >> quoting ldap.conf(5):
> >> 
> >> TLS_REQCERT <level>
> >> ...
> >>    try    The  server  certificate  is  requested. If no certificate is
> >> provided, the session proceeds normally.
> Maybe that should read "... If no VALID certificate is..."

I can't tell whether you're claiming that's how the code
 * _does_ behave, and you've tested it
 * _does_ behave, but you haven't tested it, OR
 * _should_ behave, in your opinion.

> > Almost all TLS cipher suites, including the most deployed ones, 
> > require the server to have a certificate, period.  If you look at the 
> > output of
> Yes, but the certificate could be expired or mismatching the host, etc.

I see no guarantee from OpenLDAP docs or code or OpenSSL docs or code that 
such a setup would not fail immediately.  I'm not going to bother checking 
because such a setup would be be insecure and a waste of resources.

"What problem are you trying to solve?"

Philip Guenther