List Info

Thread: Re: (ITS#4941) incorrect description of TLS_REQCERT setting
Re: (ITS#4941) incorrect description of TLS_REQCERT setting
country flaguser name
United States		 2007-04-30 07:51:45 
guenther+ldapdevsendmail.com wrote:
> Full_Name: Philip Guenther
> Version: 2.3.27
> OS: linux and solaris
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (64.58.1.252)
> 
> 
> The description of the TLS_REQCERT setting in the
ldap.conf(5) manpage does not
> match the actual operation of the code.  In
particular:
> - clients don't 'request' server certs in TLS.  They
get one if the cipher
> suite
>   uses them, otherwise they don't
> - 'allow' checks the identity of the server vs its cert
(per RFC 4513,
>   section 3.1.3) and will terminate the connection if
they don't match
> - 'try' is the same as 'demand' and 'hard'

Not quite. With both "allow" and "try"
it's OK if the server provides no 
certificate. The difference is, with "try", if a
cert is provided, it 
must be valid.
> 
> 
> Here's a possible patch to ldap.conf.5 to fix the
above.  A reference to the RFC
> should perhaps be added to the text.  I was also
tempted to add a sentence to
> the lead-in to clarify that the setting has no effect
if the negotiated cipher
> suite doesn't use certs, as a clarification of the
"if any" in the existing
> lead-in, but that's minor.  Simply having an even
slightly correct description
> of 'allow' is the important thing.
> 
> --- ldap.conf.5 26 Jan 2006 05:57:49 -0000
> +++ ldap.conf.5 30 Apr 2007 08:39:53 -0000
>  -249,22 +249,20 
>  .RS
>  .TP
>  .B never
> -The client will not request or check any server
certificate.
> +The client will not check the server certificate at
all.
>  .TP
>  .B allow
> -The server certificate is requested. If no certificate
is provided,
> -the session proceeds normally. If a bad certificate is
provided, it will
> -be ignored and the session proceeds normally.
> -.TP
> -.B try
> -The server certificate is requested. If no certificate
is provided,
> -the session proceeds normally. If a bad certificate is
provided,
> +The client will only verify that name used to connect
to the server
> +matches one of the server certificate's subjectAltName
or CN values.
> +If no match is found, the session is immediately
terminated.
> +.TP
> +.B try | demand | hard
> +These keywords are equivalent.
> +The client will verify the server certificate is valid
and matches the
> +name used to connect (as for 'allow').
> +If a bad or mismatched certificate is provided,
>  the session is immediately terminated.
> -.TP
> -.B demand | hard
> -These keywords are equivalent. The server certificate
is requested. If no
> -certificate is provided, or a bad certificate is
provided, the session
> -is immediately terminated. This is the default
setting.
> +This is the default setting.
>  .RE
>  .TP
>  .B TLS_CRLCHECK <level>
> 
> 
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hy
c/
   Chief Architect, OpenLDAP     http://www.openldap.
org/project/
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )