[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: 2.1.22 not accepting self-signed SSL cert
- To: openldap-software@OpenLDAP.org
- Subject: Re: 2.1.22 not accepting self-signed SSL cert
- From: Tony Earnshaw <tonye@billy.demon.nl>
- Date: Tue, 04 Nov 2003 13:36:37 +0100
- In-reply-to: <64513.68.35.232.20.1067493377.squirrel@mail.theoretic.com>
- References: <64513.68.35.232.20.1067493377.squirrel@mail.theoretic.com>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624
adamtheo@theoretic.com wrote:
TLSCertificateFile /site/theoretic/ssl/key.pem
TLSCertificateKeyFile /site/theoretic/ssl/key.pem
TLSCACertificateFile /site/theoretic/ssl/key.pem
TLSCipherSuite HIGH:+MEDIUM:!LOW
TLSVerifyClient never
Maybe someone else has answered already - I'm a modem-occasional
subscriber - but this is wrong. You have to keep to the rules and have
separate public, key and CA cert files.
The (extra jolly) good reason for this, to my feeble mind, is that the
server private key file has to be kept *secret*, while the public key
has to be published and the CA cert file has to be readable by all
clients + the server. Your method would defeat this end. Even if what
you were doing were possible (à la Exim, Courier IMAPD etc.) it would be
a glaring security hole and render the whole point of security via certs
pointless.
--Tonni
--
Tony Earnshaw
Do not CC me or your mail will probably be rejected.
I don't like this, either. Blame it on Swen and a slow
Internet connection.
http://www.billy.demon.nl
Mail: billy-at-billy.demon.nl