> On May 15, 2016 at 6:13 AM Ryan Tandy <r...@nardis.ca> wrote: > > > On Mon, May 02, 2016 at 05:44:58PM +0300, Aki Tuomi wrote: > >2. Try connect with openldap -Z -H ldap://server ... > > > >Expected behaviour > >Invalid cert ignored, and TLS continues > > I failed to read this closely enough the first time. > > This is actually not the intended behaviour, though: the meaning of the > -Z option is to attempt TLS, but continue without it (cleartext) if the > startTLS operation fails. Therefore using TLS_REQCERT allow and -ZZ is a > better solution. > > >Actual behaviour > >Failure with non-descriptive error, debug shows > >ldap_start_tls: Connect error (-11) > > ... but this is not the expected behaviour, either way! > > There's something odd going on after the certificate is rejected - may > be a bug in the GnuTLS support, or in the core TLS implementation - it > looks like the client sends a plain Bind request while the the server is > still expecting a TLS handshake, possibly. But I'd rather discourage the > use of this fallback to cleartext anyway, so I'm not going to look > further into that right now. And an OpenSSL-linked slapd closes the > connection outright after the TLS negotiation fails, which seems like > the more prudent thing to do.
Thank you for your help, the OpenLDAP library documentation could probably be better =) Aki