changing TLS default behavior (was: [Devel] Patch: cfg.y bug fix
- tls_require_client_certificate has no effect)
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Dec 5 14:06:30 CET 2006
Klaus Darilion wrote:
> Just a question: certificate validation is turned off by default. IMO
> this should be turned on by default.
>
> Thus, I suggest changing the default in openser CVS to "validation=on"
> and leave it in stable (1.1.x) as it is "validation=off".
>
> What do you think about that?
Any comments on this? Otherwise I change the default to require
certificate verification.
regards
klaus
>
> thanks
> klaus
>
> Klaus Darilion wrote:
>> Hi!
>>
>> Thanks - I will take care of it.
>>
>> regards
>> klaus
>>
>>
>>
>> phgs at free.fr wrote:
>>> Hello,
>>>
>>>
>>> Issue:
>>>
>>> Whatever the value of tls_require_client_certificate, client
>>> certificates are
>>> NEVER mandatory to connect using TLS.
>>>
>>> I added the following lines in the openser.cfg file:
>>>
>>> tls_verify_client = 1
>>> tls_require_client_certificate = 1
>>>
>>> But after restarting openser, I still could connect without any client
>>> certificate and I found this message in the openser logs:
>>>
>>> Nov 23 15:09:53 localhost openser: TLS: Client verification
>>> activated.
>>> Client certificates are NOT mandatory.
>>>
>>>
>>> Patch:
>>>
>>> The value found in the configuration file must be stored in
>>> tls_default_server_domain->require_client_cert instead of
>>> tls_default_client_domain->require_client_cert.
>>>
>>>
>>> 690c690
>>> < tls_default_server_domain->require_client_cert=$3;
>>> ---
>>>> tls_default_client_domain->require_client_cert=$3;
>>>
>>>
>>> Regards,
>>> Philippe
>>>
>>>
>>>
>>> _______________________________________________
>>> Devel mailing list
>>> Devel at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>
>>
>
>
--
Klaus Darilion
nic.at
More information about the Devel
mailing list