Re: Sync Replication via TLS/SSL - get bind err

RUMI Szabolcs wrote: > I'm using certificates I've generated since many years with a lot of > software having SSL support like Apache, Cyrus IMAP, Postfix, OpenVPN, > etc. and all of these are working seamlessly, with the exception of > OpenLDAP. It's not only me who's struggling, just Google around if > you don't believe me... Even the Gentoo Linux ebuild for OpenLDAP > suggests that I have to use "TLS_REQCERT never" with self-signed > certificates or else TLS won't work. And they're right. No, they're wrong. Likewise, most of the other software you've had "working seamlessly" is broken but most people were too ignorant of best practices to realize it. Now that malware is so common on the web, newer browsers like Firefox/Mozilla are finally tightening their own validity checks on certificates as well, and refusing to connect to sites with unrecognized certs. I.e., they're finally beginning to do what they were supposed to do all along, and what OpenLDAP has always done.