* Torsten Landschoff (torsten@debian.org) wrote: > On Fri, Feb 14, 2003 at 10:36:13AM -0500, Stephen Frost wrote: > > > > some support for TLS connections, but slapd accepts connection > > > even if client's cert. cannot be verified by ca's cert. Versions > > > 2.1.x works correctly from this point of view with the same configuration > > > which was tested on openldap-2.0.27 from Sid branch. > > > > That's correct, that was a change in the openldap source code itself I > > believe. The Debian OpenLDAP 2.1 packages will also verify by default > > (though I beleive there's an option in 2.1 to turn it off). > > Hmm, interesting. The documentation of slapd in 2.1 states this: > > TLSVerifyClient <level> > Specifies what checks to perform on client certificates in an > incoming TLS session, if any. The <level> can be specified as > one of the following keywords: > > never This is the default. slapd will not ask the client for a > certificate. > > [...] > > I have not really used TLS with OpenLDAP for that though. Up to now the > encryption was all I wanted... Sorry, I think you're right, I was thinking from the opposite end: the client will verify the server's cert by default for using TLS. The client does not need to have a cert of its own by default. Previously (2.0) the client did not attempt to verify the server's cert, from my understanding. Stephen
Attachment:
pgp8tdUq64iVv.pgp
Description: PGP signature