[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS errors out

To: bd@emtex.com
Subject: Re: TLS errors out
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 25 Oct 2002 16:03:43 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3DB9171D.1090202@emtex.com>
References: <00d301c27b91$64d61020$0e01a8c0@CELLO> <3DB9171D.1090202@emtex.com>

fre, 2002-10-25 kl. 12:04 skrev Bill Dossett:

> Please don't hit me if this is a stupid question :-)
> but

Actually, I don't see why it should be a stupid question.

> Howard Chu wrote:
> > The cert that was used to sign your server's cert is not contained in the
> > cacert file that you specified for your client. Try putting the correct certs
> > in place. Since your server cert is self-signed that means your server cert
> > must be present in the cacert file. Note that using self-signed certs for
> > individual servers is extremely unwise.

> could you tell me why it is unwise?  I am setting up openLDAP on a 
> server behind my firewall.  It should  only be accessed
> from my firewalled network and via a VPN to another network owned
> by my company.. possibly via VPN to roaming clients as well.
> You seem to be recommending that I pay for a cert?  I was hoping
> to create my own.  Again, sorry if I'm misunderstanding, but I'm
> not that keen on spending money on certs.

There seem to be 2 (streams of) ideas of what a 2self signed
certificate" is.

To my mind, it's a certificate pair where both the public and the
private key are produced without the intervention of a Certificate
Authority (CA). You can produce such a certificate by entering:

"openssl req -x509 -newkey rsa:1024 -keyout file1 -out file2 \
              -days 9999 -nodes"

file1 and file2 can even be the same file, which securitywise is a
horrible idea, since every man and his dog must have access to the
private key. And anyway, even if both are held separate, what's the
point of such a thing for validation of identity? Who's vouching for
you?

The alternative is sending a certificate request to a certificate
authority that in turn signs a combination of private and public key and
vouches for the authenticity of that combination. Bit like a driver's
license or a passport.

To my mind, that's not a self-signed certificate any longer, it's a
CA-signed certificate.

However, there's no reason you shouldn't set up your own Certificate
Authority, but then no-one else will know about it, or care. (There's no
reason why you shouldn't issue your own drivers' license, signed by you,
but I doubt that the police would recognize or accept it.) Many
organizations and instances =do= set up their own CAs. But for the most
part the outside world doesn't know about or recognize them. If you do
so, for your own organization, you can sign all others' private/public
key combos with it, if you want (no one but your own clique will
recognixe it).

*But* you should be aware that there's a whole hierarchy
involved, revoking such certificates when they aren't valid
any more, storing relevant details in a database and subdelegating
authority  to other CAs. Learn all about Certificate Authorities and their
responsibilities first.

So, set up a Certificate Authority for your own organization internally,
by all means; then you won't have to pay the measly amount that Thawte
(for example) charges for vouching for the solidity of your
organization. But don't expect the rest of the world to care. 

Best,

Tony

-- 

Tony Earnshaw

Could have been Henrik Ibsen's, Ole Bull's,
Henrik Wergelands's, Camilla Collet's and more's
last words, but weren't: «Fanden helder, helder
det at have sadset, end det at ikke have sadset
i det hele taget.»

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- RE: TLS errors out
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: TLS errors out
  - From: Bill Dossett <bd@emtex.com>

Prev by Date: Strong authentication & OpenLDAP
Next by Date: reindexed messages: are usually?
Index(es):
- Chronological
- Thread