Brett @Google wrote:
Hello,
I've recently had issues with a 3rd party java client using jdk 1.4.x, trying to connect with ldaps:// to openldap 2.4.26, compiled with OpenSSL 1.0.0d
It would appear that the client's jdk 1.4.x has a few harsh restrictions with regard to modulus size in certiicates, even with all unrestricted "export" policies installed.
So i was wondering a few things :
- does openldap do anything with the CA certs, other than verify local or
remote certiticates, such as sending them over the ssl connection ?
OpenLDAP doesn't do *anything* with certs. The backing TLS library does. What the TLS library does is the same thing it does for any TLS session, be it https, smtps, or whatever.
- it's my understanding that in SSL negotiation, only server or client
certiticates are exchanged, and ca certs's are not sent over the wire (as IMHO it would literally bet a "trust" issue to do otherwise :).
I suggest you run ldapsearch -d7 and see exactly what happens.
- other than providing certificates / keys to the openssl API, is there
anything special that happens other than hand off to stock openssl negotiation ?
No.
Trying to work out what is being sent to the client to trigger a "modulus size" error on the client, other than clients inherent badness which i cannot control :)
JDK 1.4? Good luck.
If 3. is no, then i'm open to any suggestions with regard to interesting or useful SSL negotiation documents out there, that might shed some light.
Cheers Brett
-- *The only thing that interferes with my learning is my education.*
Albert Einstein*