On Fri, Feb 08, 2008 at 05:12:05PM -0800, Steve Langasek wrote: > Ok, I can reproduce this problem. There are two remaining issues here, that > I can see:
> - the behavior of "TLS_REQCERT allow" appears to be equivalent to > "TLS_REQCERT try" in its handling of wrong certificates I've looked deeper into this, and find that this is not a regression. The ldapsearch from OpenLDAP 2.3 linked against OpenSSL would also abort the connection if given a certificate that didn't match the requested hostname. If you (or someone else) think this behavior is wrong, please file a separate bug report; otherwise I defer to the existing upstream behavior. > - with GnuTLS, subjectAltName values are not being validated properly And this one is now fixed in subversion. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
