Re: failover config: servers with same DNS address and TLS, subjectAltName extension

Howard Chu <hyc(a)symas.com&gt; wrote: Yes, I discovered HAVE_OPENSSL_CRL. The problem is that this test validates at mine, despite OpenSSL version (0.9.7d) configure:19757: checking OpenSSL library version (CRL checking capability) configure:19791: result: yes And then if I use TLS_CRLCHECK, LDAP operation will fail: ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I hope you'll agree with me that this is *very* misleading if CRL checks are not supposed to work with 0.9.7d. Quoting myself: "here is the result of my experiments" I wouldn't call that a claim of being an authoritative guide. I posted it there with the hope it could be useful to other looking for the piece of information I missed. It was not perfect, but that's not a problem, since you and other kindly pointed out the errors. If you don't discourage me too much, I may even post an update with your comments included. Yes, I have this. Is it fine? security simple_bind=128 I hope people do some testing before rolling a copy/pasted configuration in production... -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org