--On Thursday, April 03, 2008 3:41 PM +0200 [EMAIL PROTECTED] wrote:
ok, more testing, more news:
now with the slapd 2.4.7 package (with gnutls) this seems to force
client-certs, too. a TLS query without client-cert won't work - but
commenting the 'security' line out results in working TLS and working
non-TLS queries.
The default behavior when TLS is enabled is "TLSVerifyClient never";
2.4.7 did have a bug related to this, but this was resolved in the
2.4.7-5 package.
well it seems to me like with gnutls the 'security tls=' value controls
the tls reqirements, TLSVerifyClient is (more or less?) ignored. but i
could be missing something ofc...
all queries done with a server cert and without a client cert:
security tls=128
TLSVerifyClient never
ldapsearch fails (TLS confidentiality required)
ldapsearch -ZZ fails (stronger TLS confidentiality required)
This will always fail as long as the keystrength of the cert in question is
so low. It states quite clearly in your log:
conn=0 fd=12 TLS established tls_ssf=32 ssf=32
I.e., the TLS SSF is 32. So no value > 32 will ever work.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
