[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4072) Feature request: Don't list StartTLS (1.3.6.1.4.1.1466.20037) if not configured correctly



At 04:19 PM 10/10/2005, michael@stroeder.com wrote:
>Howard Chu wrote:
>> Michael Ströder wrote:
>> 
>>> Howard Chu wrote:
>>>  
>>>> michael@stroeder.com wrote:
>>>>
>>>>> I'd like to propose that StartTLS (1.3.6.1.4.1.1466.20037) is not
>>>>> listed in
>>>>> rootDSE's attribute supportedExtension if TLS/SSL is not configured
>>>>> correctly.
>>>>
>>>> What does "not configured correctly" mean? E.g., if invalid files are
>>>> used for the cert/key file options, ldap_pvt_tls_init_def_ctx() will
>>>> fail, and slapd will refuse to startup. What other configurations are
>>>> you concerned with?
>>>
>>> Well, rather not configured at all but compiled with TLS support.
>>>   
>> 
>> I guess that makes sense. Done. Please test.
>
>Seems to work especially with this particular client which failed to
>connect before. Thanks!

I note that your report implies that this client may be
prone to downgrade attack, you might consider reporting
this its developer.  

-- Kurt