On Mon, 30 Apr 2007, Howard Chu wrote: ... That's true of 'demand' and 'hard' as well. The only difference between 'try' and 'demand' in the code is that the latter passes SSL_CTX_set_verify() the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, but that flag has NO EFFECT on SSL clients. This is documented on the SSL_CTX_set_verify() manpage and confirmed by grepping the openssl source for it. If you don't believe me, I suggest you try configuring your server to accept the ADH suites (don't forget to set TLSDHParamFile to /dev/null) and give ldapsearch a whirl with LDAPTLS_REQCERT=hard LDAPTLS_CIPHER_SUITE=ADH-AES256-SHA in your environment. That's what I did. Philip Guenther