On Wed, 13 Nov 2013, Ulrich Windl wrote:
Philip Guenther guenther+ldaptech@sendmail.com schrieb am 12.11.2013 um 16:37
in Nachricht alpine.BSO.2.11.1311120655310.19673@morgaine.local:
On Tue, 12 Nov 2013, Jan Synacek wrote:
quoting ldap.conf(5):
TLS_REQCERT <level> ... try The server certificate is requested. If no certificate is provided, the session proceeds normally.
Maybe that should read "... If no VALID certificate is..."
I can't tell whether you're claiming that's how the code * _does_ behave, and you've tested it * _does_ behave, but you haven't tested it, OR * _should_ behave, in your opinion.
Almost all TLS cipher suites, including the most deployed ones, require the server to have a certificate, period. If you look at the output of
Yes, but the certificate could be expired or mismatching the host, etc.
I see no guarantee from OpenLDAP docs or code or OpenSSL docs or code that such a setup would not fail immediately. I'm not going to bother checking because such a setup would be be insecure and a waste of resources.
"What problem are you trying to solve?"
Philip Guenther