Server authentication behavior

Following the Hello messages, the server sends its certificate in a certificate message if it is to be authenticated. If required, a ServerKeyExchange message may also be sent. See RFC 5246, section 7.3, for more information about the authentication behavior on the LDAP server.

The trust-anchor-profile command determines whether the server must be authenticated by the client.

config>system>security>tls
  client-tls-profile ldap create
    [no] trust-anchor-profile
Note: If the trust-anchor-profile is configured and the ca-certificate or ca-profile is missing from this trust-anchor-profile, the TLS connection fails and an ‟unknown_ca” error is generated, as per RFC 5246 section 7.2.2.

One of the following two configurations can be used to establish server connectivity:

  1. If trust-anchor-profile is configured under the TLS client-tls-profile context, the server must be authenticated via the trust-anchor-profile command before a trusted connection is established between the server and the client.

  2. If there is no trust-anchor-profile under the client-tls-profile context, the trusted connection can be established without server authentication. The RSA key of the certificate is used for public key encryption, requiring basic certificate checks to validate the certificate. These basic checks are as follows:

    • time validity

      The certificate is checked to ensure that it is neither expired nor not yet valid.

    • certificate type

      The certificate is not a CA certificate.

    • keyUsage extension

      If present, this must contain a digital signature and key encryption.

    • host verification

      The IP address or DNS name of the server is looked up, if available (for LDAP, only the IP address is used), in the common name (cn) or subjectAltName extension. This is to verify that the certificate was issued to that server and not to another.