On Mon, 30 Apr 2007, Howard Chu wrote:
guenther+ldapdev@sendmail.com wrote:
...
- 'allow' checks the identity of the server vs its cert (per RFC 4513, section 3.1.3) and will terminate the connection if they don't match
- 'try' is the same as 'demand' and 'hard'
Not quite. With both "allow" and "try" it's OK if the server provides no certificate.
That's true of 'demand' and 'hard' as well. The only difference between 'try' and 'demand' in the code is that the latter passes SSL_CTX_set_verify() the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, but that flag has NO EFFECT on SSL clients. This is documented on the SSL_CTX_set_verify() manpage and confirmed by grepping the openssl source for it.
If you don't believe me, I suggest you try configuring your server to accept the ADH suites (don't forget to set TLSDHParamFile to /dev/null) and give ldapsearch a whirl with LDAPTLS_REQCERT=hard LDAPTLS_CIPHER_SUITE=ADH-AES256-SHA
in your environment. That's what I did.
Philip Guenther