Re: [nssldap] Questions about start_tls
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: [nssldap] Questions about start_tls
- From: maillists0 [at] gmail.com
- To: "Andrew Findlay" <andrew.findlay [at] skills-1st.co.uk>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] Questions about start_tls
- Date: Wed, 10 Dec 2008 15:38:18 -0500
On Wed, Dec 10, 2008 at 3:23 PM, Andrew Findlay <andrew.findlay [at] skills-1st.co.uk> wrote:
I have not tried this, but I suspect that the client-side debug is
showing stuff before is gets encrypted for transmission. It would not
be much use for debugging otherwise!
You can check what is on the wire using wireshark.
As a general point I would suggest always making a long-lived CA
certificate and using that to sign your server certificates. It makes
management of certs much easier when you have many servers and clients.
You can then distribute the CA cert to the clients and use it to
verify server certs - very important if you want real security.
Andrew
--
I did tcpdump and all is well. This is funny, and I'd be embarrassed if I wasn't so so relieved to find that there's not something wrong with the installation. I'll def look at certificate verification and longer-lived certs. Thanks again for your help.
- RE: [nssldap] Questions about start_tls, (continued)
- RE: [nssldap] Questions about start_tls, Chapman, Kyle
- Message not available
- Re: [nssldap] Questions about start_tls,
Andrew Findlay
- Re: [nssldap] Questions about start_tls, maillists0
- Re: [nssldap] Questions about start_tls, Andrew Findlay
- Re: [nssldap] Questions about start_tls, maillists0
- Re: [nssldap] Questions about start_tls,
Andrew Findlay
- Prev by Date: Re: [nssldap] Questions about start_tls
- Next by Date: [nssldap] RV: Unix id command and Openldap
- Previous by thread: Re: [nssldap] Questions about start_tls
- Next by thread: [nssldap] RV: Unix id command and Openldap