12 Nov
2013
12 Nov
'13
11:40 p.m.
On Wed, 13 Nov 2013, Ulrich Windl wrote:
"It doesn't do cert chain checking so it will accept self-signed certs."
Even if it does cert chain checking, a self-signed certificate will be accepted! What are you saying?
His use of the phrase "cert chain checking" was misleading.
With 'allow', the ldap client library doesn't care whether the cert's signature can be validated back to a known-and-trusted root CA.
(If you copied the self-signed cert into the client's trusted CA file or directory, then you might be able to use 'TLS_REQCERT demand' and be secure from MitM attacks.)
Philip Guenther