On Mon, 30 Apr 2007, Howard Chu wrote:
> - 'allow' checks the identity of the server vs its cert
(per RFC 4513,
> section 3.1.3) and will terminate the connection if they don't match
> - 'try' is the same as 'demand' and 'hard'
Not quite. With both "allow" and "try" it's OK if the server
That's true of 'demand' and 'hard' as well. The only difference
'try' and 'demand' in the code is that the latter passes
SSL_CTX_set_verify() the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, but that
flag has NO EFFECT on SSL clients. This is documented on the
SSL_CTX_set_verify() manpage and confirmed by grepping the openssl source
If you don't believe me, I suggest you try configuring your server to
accept the ADH suites (don't forget to set TLSDHParamFile to /dev/null)
and give ldapsearch a whirl with
in your environment. That's what I did.