[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Start TLS extended request



The behavior is the similar.  They both detect the problem
when configured in a like manner.  They do react differently
to that problem, but that's because they serve different
functions.  As noted in the verify portion of the s_client
man page, s_client will continue on to find additional
errors.  This is, of course, because s_client is a diagnostic
tool.

Kurt

At 01:45 PM 1/23/2004, Siva Kollipara wrote:
>"No client certificate CA names sent"
>Using openssl s_client, I get this message, but the operation doesnt
>terminate there. s_client verifies the server certificate using the CAPath
>i've provided.
>whereas through openldap i get the following message and the operation **terminates immediately**.
>"TLS: could not load client CA list
>(file:`',dir:`/net_home/skollipa/server/ssl/certs/')."
>ldap_perror
>ldap_simple_bind_s: Can't contact LDAP server
>
>in both cases CAFile is absent and CADir is present with valid path.
>
>Siva
>
>On Fri, 23 Jan 2004, Kurt D. Zeilenga wrote:
>
>> At 12:48 PM 1/23/2004, Siva Kollipara wrote:
>> >I am confused coz "openssl s_client -connect localhost:636
>> >-CApath=/valid/certs/dir" succeeds and everything works without
>complaning
>>
>> try with -verify, try with both -CAfile, etc..
>>
>> The OpenLDAP configuration flags are, IIRC, passed in to the
>> OpenSSL library, much like the openssl(1) does its command
>> line flags.  So, the behavior should be quite similar for
>> equivalent flags.
>>
>> Kurt
>>