[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sync Replication via TLS/SSL - get bind err



--On December 20, 2007 4:08:33 PM -0800 Howard Chu <hyc@symas.com> wrote:

RUMI Szabolcs wrote: 
I'm using certificates I've generated since many years with a lot of
software having SSL support like Apache, Cyrus IMAP, Postfix, OpenVPN,
etc. and all of these are working seamlessly, with the exception of
OpenLDAP. It's not only me who's struggling, just Google around if
you don't believe me... Even the Gentoo Linux ebuild for OpenLDAP
suggests that I have to use "TLS_REQCERT never" with self-signed
certificates or else TLS won't work. And they're right.


No, they're wrong. Likewise, most of the other software you've had
"working seamlessly" is broken but most people were too ignorant of best
practices to realize it. Now that malware is so common on the web, newer
browsers like Firefox/Mozilla are finally tightening their own validity
checks on certificates as well, and refusing to connect to sites with
unrecognized certs. I.e., they're finally beginning to do what they were
supposed to do all along, and what OpenLDAP has always done.

Just to note, we use self-signed certs @ Zimbra with OpenLDAP, we force TLS, and it works without a problem. Which is why I know you're incorrect. ;) And I'd hardly look to the gentoo folks as a source of documentation expertise when it comes to OpenLDAP.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration