On Fri, Feb 18, 2011 at 12:30:25AM +0000, hyc(a)symas.com wrote: Unfortunately I cannot tell you exactly when this changed. In any case, the change only affects a different bug which was masking the problem that I now see. I do know that 2.3.32 as shipped with SLES 10.3 masks the problem by not checking the server certificate properly. So does 2.4.12 as shipped with OpenSuSE 11.1. Both will allow ldapsearch -ZZ to connect to *any* TLS-capable server if they do *not* have access to the CA certificate. 2.4.24 built on OpenSuSE 11.3 (i.e. using OpenSSL 1.0) correctly refuses to connect if there is no CA cert. All versions that I have tested (certainly back to 2.3.32) incorrectly fail to connect when the URL is ldap://localhost:1389/ and a CA cert is provided. Hmm - that seems to be server-to-server. My problem is with the client tools, so maybe a different code-path is used. I have put a small test case here: ftp://ftp.openldap.org/incoming/afindlay-localhost-tls-test-20110218.tgz The server cert is valid for 'localhost' and also for '127.0.0.1' The tests are: sh 1-plain Plain LDAP connection - no problems Connects to ldap://localhost:1389/ sh 2-tls-no-ca With TLS but client has no access to the CA cert so this should fail with a complaint about 'self-signed certificate' sh 3-tls-with-ca With TLS and access to the CA cert. Connects to ldap://localhost:1389/ This should succeed but it does not. sh 4-tls-with-ca-numeric With TLS and access to the CA cert. This one uses ldap://127.0.0.1:1389/ and succeeds. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------