[Date Prev][Date Next] [Chronological] [Thread] [Top]

client (non) verification of server SSL certs

To: openldap-software@OpenLDAP.org
Subject: client (non) verification of server SSL certs
From: John Morris <openldap@butchwax.com>
Date: 21 Oct 2002 01:12:06 +0800
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2

Howdy!

I've successfully set up a slapd with SSL/TLS, both are working.  I've
been using the openldap tools and GQ to query it, no problem.

The strange thing about it is that I created the CA on the slapd host
machine.  I deliberately didn't tell my separate client machine about
the CA (ie. in my RedHat /usr/share/ssl/cert.pem file there's no
mention of the CA I created on the slapd host).  However, the clients,
both ldapsearch and GQ, don't seem to mind that they're talking to a
server using certs that can't be verified!

Reading through the SSL-related posts from the last several months, it
appears that the 'TLS_CACERT' variable in the /etc/openldap/ldap.conf
file should point to my /usr/share/ssl/cert.pem file, but setting or
not setting this makes no difference.

How do I control this behavior to ensure the client verifies the
servers certificates before continuing with the ldap query?

Thanks for your help!

        John

-- 
John Morris
+852-9777-5286

Follow-Ups:
- RE: client (non) verification of server SSL certs
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: client (non) verification of server SSL certs
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: Help me:Rename DN with childrens in PHP.
Next by Date: RE: client (non) verification of server SSL certs
Index(es):
- Chronological
- Thread