On Mon, 30 Apr 2007, Howard Chu wrote:
guenther+ldapdev(a)sendmail.com wrote:
...
> - 'allow' checks the identity of the server vs its cert
(per RFC 4513,
> section 3.1.3) and will terminate the connection if they don't match
> - 'try' is the same as 'demand' and 'hard'
Not quite. With both "allow" and "try" it's OK if the server
provides no
certificate.
That's true of 'demand' and 'hard' as well. The only difference
between
'try' and 'demand' in the code is that the latter passes
SSL_CTX_set_verify() the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, but that
flag has NO EFFECT on SSL clients. This is documented on the
SSL_CTX_set_verify() manpage and confirmed by grepping the openssl source
for it.
If you don't believe me, I suggest you try configuring your server to
accept the ADH suites (don't forget to set TLSDHParamFile to /dev/null)
and give ldapsearch a whirl with
LDAPTLS_REQCERT=hard
LDAPTLS_CIPHER_SUITE=ADH-AES256-SHA
in your environment. That's what I did.
Philip Guenther