|
List Info Thread: Re: (ITS#4941) incorrect description of TLS_REQCERT setting
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Re: (ITS#4941) incorrect description of TLS_REQCERT setting |
|
List Info Thread: Re: (ITS#4941) incorrect description of TLS_REQCERT setting
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
sendmail.com wrote:
...
>> - 'allow' checks the identity of the server vs its
cert (per RFC 4513,
>> section 3.1.3) and will terminate the connection
if they don't match
>> - 'try' is the same as 'demand' and 'hard'
>
> Not quite. With both "allow" and
"try" it's OK if the server provides no
> certificate.
That's true of 'demand' and 'hard' as well. The only
difference between
'try' and 'demand' in the code is that the latter passes
SSL_CTX_set_verify() the SSL_VERIFY_FAIL_IF_NO_PEER_CERT
flag, but that
flag has NO EFFECT on SSL clients. This is documented on
the
SSL_CTX_set_verify() manpage and confirmed by grepping the
openssl source
for it.
If you don't believe me, I suggest you try configuring your
server to
accept the ADH suites (don't forget to set TLSDHParamFile to
/dev/null)
and give ldapsearch a whirl with
LDAPTLS_REQCERT=hard
LDAPTLS_CIPHER_SUITE=ADH-AES256-SHA
in your environment. That's what I did.
Philip Guenther