On 05/16/2014 09:11 AM, [email protected] wrote: > Full_Name: Philip Guenther > Version: 2.4.39 > OS: OpenBSD > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (76.253.0.176) > > > The ldap.conf(5) manpage says this about TLS_REQCERT > TLS_REQCERT <level> > Specifies what checks to perform on server certificates in a TLS > session, if any. The <level> can be specified as one of the > following keywords: > ... > > try The server certificate is requested. If no certificate is > provided, the session proceeds normally. If a bad > certificate is provided, the session is immediately > terminated. > > demand | hard > These keywords are equivalent. The server certificate is > requested. If no certificate is provided, or a bad > certificate is provided, the session is immediately > terminated. This is the default setting. > > > In testing, I can find no difference in behavior between the 'try' and 'hard' > keywords. For the ldap* tools, both 'try' and 'hard' seem to place the same > requirements on the server. What does "if no certificate is provided" *mean* > in > terms of server and/or client configuration? >
See ITS#7744. -- Jan Synacek Software Engineer, Red Hat
