On Wed, 13 Nov 2013, Ulrich Windl wrote: > >>> Philip Guenther <[email protected]> schrieb am 12.11.2013 um > >>> 16:37 > in Nachricht <[email protected]>: > > On Tue, 12 Nov 2013, Jan Synacek wrote: > >> quoting ldap.conf(5): > >> > >> TLS_REQCERT <level> > >> ... > >> try The server certificate is requested. If no certificate is > >> provided, the session proceeds normally. > > Maybe that should read "... If no VALID certificate is..."
I can't tell whether you're claiming that's how the code * _does_ behave, and you've tested it * _does_ behave, but you haven't tested it, OR * _should_ behave, in your opinion. > > Almost all TLS cipher suites, including the most deployed ones, > > require the server to have a certificate, period. If you look at the > > output of > > Yes, but the certificate could be expired or mismatching the host, etc. I see no guarantee from OpenLDAP docs or code or OpenSSL docs or code that such a setup would not fail immediately. I'm not going to bother checking because such a setup would be be insecure and a waste of resources. "What problem are you trying to solve?" Philip Guenther
