[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: kill -INT corrupts database (ITS#1982)



> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> quanah@stanford.edu
> Sent: Tuesday, August 27, 2002 2:45 PM

> 2 new questions, thought I'd run this by you before I create ITS's
> on it to =
>
> see if I'm just missing something.  Note that none of these were
> problems=20
> under 2.1.3.
>
> Issue 1) Since we don't particularly want to spend several hundred
> dollars=20
> buying certs for our test systems, we've opted to use self-signed certs.=20
> This has worked fine until upgrading to OpenLDAP-2.1.4.  Our primary=20
> machine (ldap4), however, does have a verisign cert.
> Now that we are on 2.1.4, slurpd complains that the certificates on our=20
> replicants (the self-signed ones) are expired.  I checked the
> certs on the=20
> replicants, and they are good until the year 2012.  Any clue why
> I'm seeing this?

> Note that slapd starts just fine on them and does not complain of
> any TLS=20
> issues.

No clue. There are no TLS changes between OpenLDAP 2.1.3 and 2.1.4 that would
affect this certificate behavior. (The changes are mainly in the debug/error
messages; also disabling the TLS_CACERTDIR support if the platform doesn't
provide opendir().) Perhaps your OpenSSL library has changed, or your clocks
are wrong.

As for the issue of self-signed certs - you're fooling yourself if you think
you've gained any security with this approach. It doesn't cost any more money
to create proper server certificates either: just use OpenSSL to create a
single self-signed CA certificate and then use that certificate to create and
sign all your other server certificates. Put your CA's private key on
removable media (I used to recommend floppy disks, but these days they're
rare enough that a CDR might be easier) and remove it from your machine when
you aren't using it to sign certs. Copy the single CA cert to all of your
servers and clients. It's really not hard to do this right.

> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support