[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch allows SSL even w/o correct TLS_CACERT

To: "spammy@flashmail.com" <spammy@flashmail.com>
Subject: Re: ldapsearch allows SSL even w/o correct TLS_CACERT
From: Buchan Milne <bgmilne@obsidian.co.za>
Date: Fri, 23 Jan 2004 15:57:02 +0200 (SAST)
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <401056b8.2b2.ac8.6950@flashmail.com>

On Thu, 22 Jan 2004, spammy@flashmail.com wrote:

> Hello All,
> 
> How is TLS_CACERT supposed to work?  PADL's
> tls_cacertfile/tls_checkpeer works for rejecting bad SSL
> certs, but OpenLDAP's TLS_CACERT/TLS_REQCERT don't seem to
> do the same -- if TLS_CACERT isn't the cert for the server's
> CA, no error occurs, whereas I was expecting to see it fail.
>  The absence of TLS_CACERT allows all connections as well,
> only pointing TLS_CACERT to a directory (as an
> expecting-failure test) will cause the connection to fail.
> 
> Any suggestions?  I am trying to supply a single CA cert to
> OpenLDAP so as to use self-signed certs legitimately (which
> works fine with PADL's pam/nss libs).
> 

What version are you running?

References:
- ldapsearch allows SSL even w/o correct TLS_CACERT
  - From: "spammy@flashmail.com" <spammy@flashmail.com>

Prev by Date: Re: Ldap and passwd command
Next by Date: RE: Running configure?
Index(es):
- Chronological
- Thread