--=-H9Xw5XBDhIDPupeYRJLz Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,
I am the author of the patch at: ftp://ftp.openldap.org/incoming/jvcelak-20110912-syncrepl-allow-unsetting-o= f-tls-options.patch
and I want to argue in favor of it:
1) In a configuration using a simple bind to authenticate a client, you have no choice but using ldaps to protect password sniffing: this requires a SERVER certificate only.
2) Since primary and replicated servers can have their role reversed (i.e.: after failure and/or recovery of the former primary server), the configurations should be kept as symmetric as possible (except for syncrepl) in order to speed-up switch: SSL in both servers should thus have the same configuration.
3) syncrepl then forces SSL to use a client certificate rather than a simple bind for authentication: this implies "normal" clients will also need a certificate... we are then in a situation lying very far from using ldaps for encryption only :-(
4) Using separate server and client certificates within a server, although safer, does not resolve my problem.
For the above reason, I would really like to see my patch included in openldap code, or at least an equivalent solution.
Because "third-party patch submissions cannot be accepted per our IPR policies. The original author is required to submit their own patches.", do you need me to re-submit it ?
Thanks in advance for your reply. Regards,
Patrick Monnerat DATASPHERE S.A. 16, chemin des Aulx CH-1228 Plan-les-Ouates (GE)
--=-H9Xw5XBDhIDPupeYRJLz Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH/DCCA9Mw ggK7oAMCAQICARQwDQYJKoZIhvcNAQEFBQAwgaIxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIEwZHZW5l dmExGDAWBgNVBAcTD1BsYW4tbGVzLU91YXRlczEYMBYGA1UEChMPREFUQVNQSEVSRSBTLkEuMSQw IgYDVQQDExtEQVRBU1BIRVJFIG1haWwgc2VjdXJpdHkgQ0ExKDAmBgkqhkiG9w0BCQEWGWJ1cmVh dXRpcXVlQGRhdGFzcGhlcmUuY2gwHhcNMTEwODIzMTM1MzAwWhcNMTIxMjMxMjM1OTAwWjCBvDEL MAkGA1UEBhMCQ0gxDzANBgNVBAgTBkdlbmV2YTEYMBYGA1UEBxMPUGxhbi1sZXMtT3VhdGVzMRcw FQYDVQQKEw5EQVRBU1BIRVJFIFMuQTEZMBcGA1UEAxMQUGF0cmljayBNb25uZXJhdDEtMCsGCSqG SIb3DQEJARYecGF0cmljay5tb25uZXJhdEBkYXRhc3BoZXJlLmNoMR8wHQYJKoZIhvcNAQkBFhBw bUBkYXRhc3BoZXJlLmNoMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzpT/ufabbhCa1JFvX ZWLCDP8tPBxTilXjEFKAnNirdOc8Sj667iey7ypcgkA2QUZu+gHDSVD3iNRro2rQPdTzjnLCml5P Up+AOB48X5jUwVbxihmAvtM21KQGZZwcmGdlj6AgY/Vxci48CRn+DzW6lY+VYCtf7HWhNHih4G1Y IwIDAQABo3wwejAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR79vf/tmNLu8XwC0nU02j0WQLCzjAL BgNVHQ8EBAMCA7gwKwYDVR0lBCQwIgYIKwYBBQUHAwQGCisGAQQBgjcCARUGCisGAQQBgjcCARYw EQYJYIZIAYb4QgEBBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQA8gckFW7PMcfcFhZoVkI1ePP2f XQ1UM4tChxfuPmKYXb2VbM2bYn33MiKnswlzsH/gDvQawYFKvRCehE5JiPUa42kGd8jXNzU8sRnm uMHpjengOO3aLKZLAZRXS1dGjD9q3CQa/KDT31+ODWG7vztY8ZMBv008lb/eJvKt9ssm0cPTeKA9 /YenJzklzyY/MlNnW+zRce+3Ms4171wnrjKcA4J+Zyr0Ow1eEYzoIVEphT1WmybDPr0EJoueDUvH 9uz5cxRpxlIFY4jgTqhUQid/7uHrkaKU/OrADsOy2sGr4YpcvRpHseZZIA3Z8ovOHQ9J4WGviz9w Z6gcTLtQu6baMIIEITCCAwmgAwIBAgIBEzANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCQ0gx DzANBgNVBAgTBkdlbmV2YTEYMBYGA1UEBxMPUGxhbi1sZXMtT3VhdGVzMRgwFgYDVQQKEw9EQVRB U1BIRVJFIFMuQS4xMjAwBgNVBAMTKURBVEFTUEhFUkUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSAyMSgwJgYJKoZIhvcNAQkBFhlidXJlYXV0aXF1ZUBkYXRhc3BoZXJlLmNoMB4XDTExMDgy MzEzNTEwMFoXDTMwMTIzMTIzNTkwMFowgaIxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIEwZHZW5ldmEx GDAWBgNVBAcTD1BsYW4tbGVzLU91YXRlczEYMBYGA1UEChMPREFUQVNQSEVSRSBTLkEuMSQwIgYD VQQDExtEQVRBU1BIRVJFIG1haWwgc2VjdXJpdHkgQ0ExKDAmBgkqhkiG9w0BCQEWGWJ1cmVhdXRp cXVlQGRhdGFzcGhlcmUuY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTbQAxPu9L skt5ddMLzbS+bLQlW+gtcecHp9zL+x44dSXc663y6s+/XWxDbLZ0s+w6vp5CMB6pXxR5s8KfMDSC 22s7nq0t/BpQ1WfLkszG2JRs8BXIyrsDrFqYBBxcxiyyjzyQYVJg7qtPveUw9aQs53QCnZfXwG9s H2crPnAzoOzx5jptWvA5aHLMKqaZbGztUANABqZfZEwwGS/YG3nHxOKnl+UvmueJWiMs+plendlA 5+UBrUAk46/1IFNyjMqaBR8bug7IovHB9sn/k999eHVeBiu1qeTo0tcDEMvSBTh5JqIkl5lH7TU+ wgVCBA2/Eo1ccrvFkgTmztocbMczAgMBAAGjUjBQMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE FFxbVp/ZdU5YlwvAFPbbFg+jGWehMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwDQYJ KoZIhvcNAQEFBQADggEBAH6oFynXqL8Tk6sA032VbJyibS8woHni0/ayhrcBdEORc/wvfmhEA2kK 9Yy4xEaprsxT0fFyBJ4YGYyXX4SkQdr0pRCDO/niL2woQmar5vq4v9xa2FgrWOh7jKcXuh/SMpGq WZzQQTvYY0+X7SXX1+Ioje7rqzEDWNmzpp+mtPr/ENVmIxwTGEtXbDDLJN48sTmBDnKrca2UJrfU EFDDHon9CBBg53u+JodQiJfSbraqwje1QrGCvOHkyBr3ulBmssePVQzPphON39pPgbJCoE7sd/WK UX02QIorkbdaA8K/S38Ggc1xN9kNDE5tuClAYJSZUHeDnROgz1QncevRdKMxggGuMIIBqgIBATCB qDCBojELMAkGA1UEBhMCQ0gxDzANBgNVBAgTBkdlbmV2YTEYMBYGA1UEBxMPUGxhbi1sZXMtT3Vh dGVzMRgwFgYDVQQKEw9EQVRBU1BIRVJFIFMuQS4xJDAiBgNVBAMTG0RBVEFTUEhFUkUgbWFpbCBz ZWN1cml0eSBDQTEoMCYGCSqGSIb3DQEJARYZYnVyZWF1dGlxdWVAZGF0YXNwaGVyZS5jaAIBFDAJ BgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEx MDIwMTYxMjEwWjAjBgkqhkiG9w0BCQQxFgQU/0S6iq+obCv1FnngaSJRbdoGRygwDQYJKoZIhvcN AQEBBQAEgYBXOHzJGvDyRJTXk7jxmGjef5QY39Ziyodp0BIYwRukyAgQ273nzPxBga96lZog7obN 2qsnWxGi9RtGEyua27OacgUPOb9+vjX5/xb3DGol81GnBqOusj8ZrdNTa7i7lKmA+o7cFD3hM6o0 PLi3EqA3rsEgu65uGpWuuyS8rzeRFAAAAAAAAA==
--=-H9Xw5XBDhIDPupeYRJLz--