On Mon, May 02, 2016 at 05:44:58PM +0300, Aki Tuomi wrote:
2. Try connect with openldap -Z -H ldap://server ...
Expected behaviour
Invalid cert ignored, and TLS continues
I failed to read this closely enough the first time.
This is actually not the intended behaviour, though: the meaning of the
-Z option is to attempt TLS, but continue without it (cleartext) if the
startTLS operation fails. Therefore using TLS_REQCERT allow and -ZZ is a
better solution.
Actual behaviour
Failure with non-descriptive error, debug shows
ldap_start_tls: Connect error (-11)
... but this is not the expected behaviour, either way!
There's something odd going on after the certificate is rejected - may
be a bug in the GnuTLS support, or in the core TLS implementation - it
looks like the client sends a plain Bind request while the the server is
still expecting a TLS handshake, possibly. But I'd rather discourage the
use of this fallback to cleartext anyway, so I'm not going to look
further into that right now. And an OpenSSL-linked slapd closes the
connection outright after the TLS negotiation fails, which seems like
the more prudent thing to do.
