[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#8374) LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and STARTTLS

To: openldap-its@OpenLDAP.org
Subject: RE: (ITS#8374) LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and STARTTLS
From: dog@pavlov.com
Date: Sun, 21 Feb 2016 07:36:27 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Ok, retested with latest code built from source.

I also reconfirmed using a publicly available openldap server, to make sure it isn't something stupid I am doing locally. 

So you can reproduce easily, the test pseudo code is:

ldap_initialize (ldaps://ldap.andrew.cmu.edu)
ldap_set_option LDAP_OPT_X_TLS_REQUIRE_CERT (enumerate options)
ldap_sasl_bind_s

ldap_initialize (ldap://128.2.11.104)
ldap_set_option LDAP_OPT_X_TLS_REQUIRE_CERT (enumerate options)
ldap_start_tls_s
ldap_sasl_bind_s

The results are:

Server with valid certificate, all values of LDAP_OPT_X_TLS_REQUIRE_CERT for both ldaps and ldap+starttls connect. This is what  I would expect.

Server with invalid certificate (IP does not match the cert FQDN), only NEVER and ALLOW values of LDAP_OPT_X_TLS_REQUIRE_CERT succeed for ldaps (this is what  I would expect) however all values of LDAP_OPT_X_TLS_REQUIRE_CERT for ldap+starttls succeed, which is not what I would expect: I think that the certificate check should fail the connection, as per the ldaps behaviour.

Martin...

Prev by Date: RE: (ITS#8374) LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and STARTTLS
Next by Date: (ITS#8375) paged results control results in full db search?
Index(es):
- Chronological
- Thread