Full_Name: Philip Guenther Version: 2.3.27 OS: linux and solaris URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (64.58.1.252)
The description of the TLS_REQCERT setting in the ldap.conf(5) manpage does not match the actual operation of the code. In particular: - clients don't 'request' server certs in TLS. They get one if the cipher suite uses them, otherwise they don't - 'allow' checks the identity of the server vs its cert (per RFC 4513, section 3.1.3) and will terminate the connection if they don't match - 'try' is the same as 'demand' and 'hard'
Here's a possible patch to ldap.conf.5 to fix the above. A reference to the RFC should perhaps be added to the text. I was also tempted to add a sentence to the lead-in to clarify that the setting has no effect if the negotiated cipher suite doesn't use certs, as a clarification of the "if any" in the existing lead-in, but that's minor. Simply having an even slightly correct description of 'allow' is the important thing.
--- ldap.conf.5 26 Jan 2006 05:57:49 -0000 +++ ldap.conf.5 30 Apr 2007 08:39:53 -0000 @@ -249,22 +249,20 @@ .RS .TP .B never -The client will not request or check any server certificate. +The client will not check the server certificate at all. .TP .B allow -The server certificate is requested. If no certificate is provided, -the session proceeds normally. If a bad certificate is provided, it will -be ignored and the session proceeds normally. -.TP -.B try -The server certificate is requested. If no certificate is provided, -the session proceeds normally. If a bad certificate is provided, +The client will only verify that name used to connect to the server +matches one of the server certificate's subjectAltName or CN values. +If no match is found, the session is immediately terminated. +.TP +.B try | demand | hard +These keywords are equivalent. +The client will verify the server certificate is valid and matches the +name used to connect (as for 'allow'). +If a bad or mismatched certificate is provided, the session is immediately terminated. -.TP -.B demand | hard -These keywords are equivalent. The server certificate is requested. If no -certificate is provided, or a bad certificate is provided, the session -is immediately terminated. This is the default setting. +This is the default setting. .RE .TP .B TLS_CRLCHECK <level>