[Devel] Re: changing TLS default behavior

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Dec 5 14:10:36 CET 2006


Hi Klaus,

fine with me.

regards,
bogdan

Klaus Darilion wrote:

> Klaus Darilion wrote:
>
>> Just a question: certificate validation is turned off by default. IMO 
>> this should be turned on by default.
>>
>> Thus, I suggest changing the default in openser CVS to 
>> "validation=on" and leave it in stable (1.1.x) as it is 
>> "validation=off".
>>
>> What do you think about that?
>
>
> Any comments on this? Otherwise I change the default to require 
> certificate verification.
>
> regards
> klaus
>
>
>>
>> thanks
>> klaus
>>
>> Klaus Darilion wrote:
>>
>>> Hi!
>>>
>>> Thanks - I will take care of it.
>>>
>>> regards
>>> klaus
>>>
>>>
>>>
>>> phgs at free.fr wrote:
>>>
>>>> Hello,
>>>>
>>>>
>>>> Issue:
>>>>
>>>> Whatever the value of tls_require_client_certificate, client 
>>>> certificates are
>>>> NEVER mandatory to connect using TLS.
>>>>
>>>> I added the following lines in the openser.cfg file:
>>>>
>>>>     tls_verify_client = 1
>>>>     tls_require_client_certificate = 1
>>>>
>>>> But after restarting openser, I still could connect without any client
>>>> certificate and I found this message in the openser logs:
>>>>
>>>>     Nov 23 15:09:53 localhost openser: TLS: Client verification 
>>>> activated.
>>>> Client certificates are NOT mandatory.
>>>>
>>>>
>>>> Patch:
>>>>
>>>> The value found in the configuration file must be stored in
>>>> tls_default_server_domain->require_client_cert instead of
>>>> tls_default_client_domain->require_client_cert.
>>>>
>>>>
>>>> 690c690
>>>> < tls_default_server_domain->require_client_cert=$3;
>>>> ---
>>>>
>>>>> tls_default_client_domain->require_client_cert=$3;
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Philippe
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Devel mailing list
>>>> Devel at openser.org
>>>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>>
>>>
>>>
>>
>>
>
>




More information about the Devel mailing list