[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch allows SSL even w/o correct TLS_CACERT

To: Buchan Milne <bgmilne@obsidian.co.za>, "spammy@flashmail.com" <spammy@flashmail.com>
Subject: Re: ldapsearch allows SSL even w/o correct TLS_CACERT
From: "spammy@flashmail.com" <spammy@flashmail.com>
Date: Fri, 23 Jan 2004 15:52:52 -0800
Cc: <openldap-software@OpenLDAP.org>

2.0.27.  Sorry, I mean to mention that originally...

Is this somehow fixed in later versions?

> 
> On Thu, 22 Jan 2004, spammy@flashmail.com wrote:
> 
> > Hello All,
> > 
> > How is TLS_CACERT supposed to work?  PADL's
> > tls_cacertfile/tls_checkpeer works for rejecting bad SSL
> > certs, but OpenLDAP's TLS_CACERT/TLS_REQCERT don't seem
> > to do the same -- if TLS_CACERT isn't the cert for the
> > server's CA, no error occurs, whereas I was expecting to
> >  see it fail. The absence of TLS_CACERT allows all
> > connections as well, only pointing TLS_CACERT to a
> > directory (as an expecting-failure test) will cause the
> > connection to fail. 
> > Any suggestions?  I am trying to supply a single CA cert
> > to OpenLDAP so as to use self-signed certs legitimately
> > (which works fine with PADL's pam/nss libs).
> > 
> 
> What version are you running?
>

Prev by Date: RE: ldap access
Next by Date: RE: ldap access
Index(es):
- Chronological
- Thread