[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapsearch allows SSL even w/o correct TLS_CACERT
On Thu, 22 Jan 2004, spammy@flashmail.com wrote:
> Hello All,
>
> How is TLS_CACERT supposed to work? PADL's
> tls_cacertfile/tls_checkpeer works for rejecting bad SSL
> certs, but OpenLDAP's TLS_CACERT/TLS_REQCERT don't seem to
> do the same -- if TLS_CACERT isn't the cert for the server's
> CA, no error occurs, whereas I was expecting to see it fail.
> The absence of TLS_CACERT allows all connections as well,
> only pointing TLS_CACERT to a directory (as an
> expecting-failure test) will cause the connection to fail.
>
> Any suggestions? I am trying to supply a single CA cert to
> OpenLDAP so as to use self-signed certs legitimately (which
> works fine with PADL's pam/nss libs).
>
What version are you running?