[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch allows SSL even w/o correct TLS_CACERT

To: openldap-software@OpenLDAP.org
Subject: ldapsearch allows SSL even w/o correct TLS_CACERT
From: "spammy@flashmail.com" <spammy@flashmail.com>
Date: Thu, 22 Jan 2004 15:03:20 -0800

Hello All,

How is TLS_CACERT supposed to work?  PADL's
tls_cacertfile/tls_checkpeer works for rejecting bad SSL
certs, but OpenLDAP's TLS_CACERT/TLS_REQCERT don't seem to
do the same -- if TLS_CACERT isn't the cert for the server's
CA, no error occurs, whereas I was expecting to see it fail.
 The absence of TLS_CACERT allows all connections as well,
only pointing TLS_CACERT to a directory (as an
expecting-failure test) will cause the connection to fail.

Any suggestions?  I am trying to supply a single CA cert to
OpenLDAP so as to use self-signed certs legitimately (which
works fine with PADL's pam/nss libs).

Thanks,

-cg

Follow-Ups:
- Re: ldapsearch allows SSL even w/o correct TLS_CACERT
  - From: Buchan Milne <bgmilne@obsidian.co.za>

Prev by Date: Re: rootdn DN is invalid.
Next by Date: Re: Start TLS extended request
Index(es):
- Chronological
- Thread