elecharny commented on PR #339: URL: https://github.com/apache/directory-server/pull/339#issuecomment-4332704634
Hi Colm, can you explain the rational behind this modification? For replication, the idea is to enforce the remote server certificate check to be sure it is the proper client (call it mTLS if you like ;-). I'm not sure it's correctly implemented, and I think we should offer the possibility to either not verifying the server and the client (very unsafe), verifying the server but not the client (not very safe) or verifying both (safer). There is some strategic change in this area with most of the biggest CA provider starting to remove the Client Authentication Extended Key Usage in certificates, and I believe it will impact us, but we still have to analyze to what extent. Many thanks! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
