[ldapvi] ldapvi '--tls' setting
Hallvard Breien Furuseth
h.b.furuseth at usit.uio.no
Thu Nov 29 16:00:32 CET 2012
The manual says:
> --tls never|allow|try|strict Level of TLS strictness
> This option controls the level of certificate checking
> strictness. Default is try.
>
> fixme: If anyone has a concise description of what these values
> mean rather than the wishy-washy explanations I can find right
> now, please tell. Thanks.
The sane default is strict, or not to override the OpenLDAP default
(strict unless set by ldap.conf). Then connect fails if the client
cannot verify che certificate, which implies it cannot verify that
the connection is secure. Or rather, it might have a perfectly
secure connection to a hostile server instead of to the server you
intended to connect to.
The other options are for fooling your client and yourself into
thinking the connection is secure when it isn't. That makes sense
only for testing TLS locally when you don't have a certificate
yet, or when connecting to a server whose cert is bad and you
decide to risk an insecure connection anyway. Just like when
your browser warns you about an unverifiable site certificate.
--
Hallvard
More information about the ldapvi
mailing list