[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: TLS_REQCERT and no server certificate

To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Subject: Re: Antw: Re: TLS_REQCERT and no server certificate
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Tue, 12 Nov 2013 23:55:36 -0800
Cc: Jan Synacek <jsynacek@redhat.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-filter: OpenDKIM Filter v2.7.5 spork.sendmail.com rAD7tb4m015744
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1384329342; bh=km8KZVE/BJ0bRSmS3V6GvAP+XjBzsCCzAzZI40Ixaws=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=iIO2Hy7m/tL9crkND2UaMgndFtOIM/dNmJ+8tQM0pbcg3zgMEU5g40MNVzqBx4Bi3 g4A2oGYTc5X7YWeGK0yn2SDTIazOJSXk4EpB8mGwfJcfdOz9FRiceOdqt30ir14nBS h1+e/eUi9ygm+eUd+Wl6LijKIfaMARkfZYhhxjkE=
In-reply-to: <5283364A020000A1000131C5@gwsmtp1.uni-regensburg.de>
References: <5282041F.20801@redhat.com> <alpine.BSO.2.11.1311120655310.19673@morgaine.local> <5283364A020000A1000131C5@gwsmtp1.uni-regensburg.de>
User-agent: Alpine 2.11 (BSO 23 2013-08-11)

On Wed, 13 Nov 2013, Ulrich Windl wrote:

> >>> Philip Guenther <guenther+ldaptech@sendmail.com> schrieb am 12.11.2013 um 16:37
> in Nachricht <alpine.BSO.2.11.1311120655310.19673@morgaine.local>:
> > On Tue, 12 Nov 2013, Jan Synacek wrote:
> >> quoting ldap.conf(5):
> >> 
> >> TLS_REQCERT <level>
> >> ...
> >>    try    The  server  certificate  is  requested. If no certificate is
> >> provided, the session proceeds normally.
> 
> Maybe that should read "... If no VALID certificate is..."

I can't tell whether you're claiming that's how the code
 * _does_ behave, and you've tested it
 * _does_ behave, but you haven't tested it, OR
 * _should_ behave, in your opinion.

> > Almost all TLS cipher suites, including the most deployed ones, 
> > require the server to have a certificate, period.  If you look at the 
> > output of
> 
> Yes, but the certificate could be expired or mismatching the host, etc.

I see no guarantee from OpenLDAP docs or code or OpenSSL docs or code that 
such a setup would not fail immediately.  I'm not going to bother checking 
because such a setup would be be insecure and a waste of resources.

"What problem are you trying to solve?"

Philip Guenther

References:
- TLS_REQCERT and no server certificate
  - From: Jan Synacek <jsynacek@redhat.com>
- Re: TLS_REQCERT and no server certificate
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>
- Antw: Re: TLS_REQCERT and no server certificate
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: Re: Antw: Re: TLS_REQCERT and no server certificate
Next by Date: Re: Antw: Re: "dn: cn=admin,cn=config" adding problem
Index(es):
- Chronological
- Thread