Re: (ITS#7856) TLS_REQCERT try is same as TLS_REQCERT hard?

18 May 2014


      On 05/16/2014 09:11 AM, pguenther@proofpoint.com wrote:
...
Full_Name: Philip Guenther
Version: 2.4.39
OS: OpenBSD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.253.0.176)
The ldap.conf(5) manpage says this about TLS_REQCERT
       TLS_REQCERT <level>
              Specifies what checks to perform on server certificates in a TLS
              session, if any. The <level> can be specified as one of the
              following keywords:
...
          try    The server certificate is requested. If no certificate is
                 provided, the session proceeds normally. If a bad
                 certificate is provided, the session is immediately
                 terminated.

          demand | hard
                 These keywords are equivalent. The server certificate is
                 requested. If no certificate is provided, or a bad
                 certificate is provided, the session is immediately
                 terminated. This is the default setting.


In testing, I can find no difference in behavior between the 'try' and 'hard'
keywords.  For the ldap* tools, both 'try' and 'hard' seem to place the same
requirements on the server.  What does "if no certificate is provided" *mean* in
terms of server and/or client configuration?
See ITS#7744.
-- 
Jan Synacek
Software Engineer, Red Hat

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: (ITS#7856) TLS_REQCERT try is same as TLS_REQCERT hard?