On 15/6/05 8:58, Bob <[EMAIL PROTECTED]> wrote: > I am new to both and want to understand a little better how the certificate > exchange works. > If the server is providing a certificate, does the client need anything > stored locally ? ,or does the server provide everything needed during the > handshaking ? Along the same lines - is capath required if the server is > providing a certificate ? Is the certificate validated automatically in perl > ldap, or do I need to validate the certificate myself ? Very nooby > questions, but I've never worked with this stuff before. Everything else > looks pretty simple. > Any information on how this works is appreciated. Thanks
It all depends on where your server got its certificate from. The OpenSSL code that we use in Net::LDAP (or rather that an underlying module uses) knows about a number of CAs, and will automatically trust certificates signed by one of those CAs. If your server's cert isn't signed by one of those CAs, you'll either need to add the signer's certificate to OpenSSL's default directory of CA certificates (don't set capath or cafile), or put it in your own directory of CA certificates (and set capath), or just stick it in a file somewhere and use cafile. The choice is yours :-) You will therefore always need the signer's certificate in a file *somewhere*. The openssl installation on my Mac doesn't seem to have any CA certificates installed, so I can't tell you where the default directory of CA certificates is - sorry! I'm pretty sure all their filenames end in 'pem.0', if that helps. The documentation of Net::LDAP's start_tls method contains some extra info about this, which you'll need to read as well. Good luck, and try not to be tempted to use verify => 'none' :-) Cheers, Chris
