I've recently had issues with a 3rd party java client using jdk 1.4.x, trying to connect with ldaps:// to openldap 2.4.26, compiled with OpenSSL 1.0.0d

It would appear that the client's jdk 1.4.x has a few harsh restrictions with regard to modulus size in certiicates, even with all unrestricted "export" policies installed.

So i was wondering a few things :

1. does openldap do anything with the CA certs, other than verify local or remote certiticates, such as sending them over the ssl connection  ?
2. it's my understanding that in SSL negotiation, only server or client certiticates are exchanged, and ca certs's are not sent over the wire
   (as IMHO it would literally bet a "trust" issue to do otherwise :).
3. other than providing certificates / keys to the openssl API, is there anything special that happens other than hand off to stock openssl negotiation ?

Trying to work out what is being sent to the client to trigger a "modulus size" error on the client, other than clients inherent badness which i cannot control :)

If 3. is no, then i'm open to any suggestions with regard to interesting or useful SSL negotiation documents out there, that might shed some light.


The only thing that interferes with my learning is my education.

Albert Einstein