--On Tuesday, January 29, 2008 12:09 PM -0800 Steve Langasek
<[EMAIL PROTECTED]> wrote:
On Tue, Jan 29, 2008 at 08:27:03PM +0100, T.A. van Roermund wrote:
Steve Langasek wrote:
> Well, I can reproduce the problem when using this value for
> TLSCipherSuite. But why would you set this value, rather than leaving
> TLSCipherSuite blank to use the default? I don't see the point of
> listing *all* the cipher types if you don't intend to exclude some of
> them.
If I leave it blank, it still doesn't work. The behaviour is then
exactly equal to the current situation.
Ok. Does your certificate have a proper cn, matching the fqdn of your
server? That's the only other case where I can reproduce the described
behavior, but I don't know if that's a behavior change relative to the
OpenSSL version. (I would have hoped that OpenSSL would also refuse to
negotiate SSL/TLS with a server whose cn doesn't match the hostname being
connected to, since this subverts the SSL security model.)
OpenLDAP compiled with OpenSSL behaves the same way. i.e, the cn in the
cert must match the servername (or the fields on subjectAltName, etc).
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
