[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: client (non) verification of server SSL certs
Ahh, yes, I'm on 2.0.23, that's important. I need to upgrade, if only
for new docs; TLS_REQCERT isn't mentioned at all in the man page.
I very much appreciate the tip. You'd think after three months of
reading this list I'd realize the importance of using something newer
than the standard RedHat 7.3 RPM. :P
John
"Howard Chu" <hyc@highlandsun.com> writes:
> You didn't mention which version of OpenLDAP you're using. Recent versions
> have cert verification enabled by default, but older versions don't. You can
> explicitly set this using TLS_REQCERT (all 2.x.y versions) in
> /etc/openldap/ldap.conf. See the ldap.conf(5) man page.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Morris
> > Sent: Sunday, October 20, 2002 10:12 AM
> > To: openldap-software@OpenLDAP.org
> > Subject: client (non) verification of server SSL certs
> >
> >
> > Howdy!
> >
> > I've successfully set up a slapd with SSL/TLS, both are working. I've
> > been using the openldap tools and GQ to query it, no problem.
> >
> > The strange thing about it is that I created the CA on the slapd host
> > machine. I deliberately didn't tell my separate client machine about
> > the CA (ie. in my RedHat /usr/share/ssl/cert.pem file there's no
> > mention of the CA I created on the slapd host). However, the clients,
> > both ldapsearch and GQ, don't seem to mind that they're talking to a
> > server using certs that can't be verified!
> >
> > Reading through the SSL-related posts from the last several months, it
> > appears that the 'TLS_CACERT' variable in the /etc/openldap/ldap.conf
> > file should point to my /usr/share/ssl/cert.pem file, but setting or
> > not setting this makes no difference.
> >
> > How do I control this behavior to ensure the client verifies the
> > servers certificates before continuing with the ldap query?
> >
> > Thanks for your help!
> >
> > John
> >
> > --
> > John Morris
> > +852-9777-5286
> >
> >
>
--
John Morris
+852-9777-5286