Am Sonntag, 23. August 2009 19:29:28 schrieb [email protected]: > ..."If the client does not send a certificate, it can still connect." > > > Does that mean that traffic is still encrypted if a certificate is not > used?
Yes, it does.
One would commonly expect because of the typical HTTPS behaviour that only
the server has to authenticate itself, i.e. provide a valid, signed
certificate. However, the server may also ask the client to authenticate
itself with a valid certificate. In such cases, the administrator has set up
a public key/certificate infrastructure. This is common e.g. with (Open-)
VPN, where not password logins, but certificates are the recommended way of
establishing a authenticated, authorized tunnel.
OpenLDAP behaves in a similar way, thus "tlsverifyclient allow" triggers the
behaviour one knows from a typical HTTPS browser session.
-- Eric
>
>
>
>
> ----- Original Message -----
> From: Emmanuel Dreyfus <[email protected]>
> To: Mullis, Josh (CCI-Atlanta); [email protected]
> <[email protected]> Sent: Sun Aug 23 02:59:05 2009
> Subject: Re: tlsverifyclient security implications
>
> Josh Mullis <[email protected]> wrote:
> > What are the security implications concerning the following setting in
> > slapd.conf:
> > tlsverifyclient allow
>
> As far as I understand, if the client sends a certificate, then slapd
> can use it to map client to a LDAP DN, like this:
> authz-regexp cn=foo uid=foo,dc=example,dc=net
>
> If the client does not send a certificate, it can still connect.
>
signature.asc
Description: This is a digitally signed message part.
