[Pkg-openldap-devel] Bug#823232: Bug#823232: libldap-2.4-2: Cannot connect to LDAP server with invalid (self-signed or non-standard CA signed) certificate
aki.tuomi at dovecot.fi
aki.tuomi at dovecot.fi
Sun May 15 14:08:17 UTC 2016
> On May 15, 2016 at 6:13 AM Ryan Tandy <ryan at nardis.ca> wrote:
>
>
> On Mon, May 02, 2016 at 05:44:58PM +0300, Aki Tuomi wrote:
> >2. Try connect with openldap -Z -H ldap://server ...
> >
> >Expected behaviour
> >Invalid cert ignored, and TLS continues
>
> I failed to read this closely enough the first time.
>
> This is actually not the intended behaviour, though: the meaning of the
> -Z option is to attempt TLS, but continue without it (cleartext) if the
> startTLS operation fails. Therefore using TLS_REQCERT allow and -ZZ is a
> better solution.
>
> >Actual behaviour
> >Failure with non-descriptive error, debug shows
> >ldap_start_tls: Connect error (-11)
>
> ... but this is not the expected behaviour, either way!
>
> There's something odd going on after the certificate is rejected - may
> be a bug in the GnuTLS support, or in the core TLS implementation - it
> looks like the client sends a plain Bind request while the the server is
> still expecting a TLS handshake, possibly. But I'd rather discourage the
> use of this fallback to cleartext anyway, so I'm not going to look
> further into that right now. And an OpenSSL-linked slapd closes the
> connection outright after the TLS negotiation fails, which seems like
> the more prudent thing to do.
Thank you for your help, the OpenLDAP library documentation could probably be better =)
Aki
More information about the Pkg-openldap-devel
mailing list