[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls_reqcert never

To: alessio <alessio@ifc.cnr.it>
Subject: Re: tls_reqcert never
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Thu, 19 Mar 2009 11:17:42 -0700
Cc: openldap-software@openldap.org
In-reply-to: <49C2739B.4050506@ifc.cnr.it>
References: <49C2739B.4050506@ifc.cnr.it>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Thu, 19 Mar 2009, alessio wrote:
> In the ldap.conf man page I can read:
> ...
> TLS_REQCERT <level>
> ...
>     never  The  client will not request or check any server certificate.

This description in the manpage is incorrect (c.f ITS 4941).  Setting 
TLS_REQCERT actually just disables the client's check that the name from 
the URI matches the cert's subjectAltName values or CN.

> In this case the ldaps:// connection will be encrypted anyway? Isn't it?

It'll be encrypted, but with no protection from man-in-the-middle attacks, 
or even detection of simple misconfigurations (CNAME pointing at wrong 
host, etc).

"TLS_REQCERT allow" is only slightly better, doing the name check (so some 
misconfigs will be caught) but still skipping the check for a known CA, so 
it's still vulnerable to MitM attacks.  If you're going to go to the 
trouble to use TLS, why not distribute the certs and do it right?

Philip Guenther

References:
- tls_reqcert never
  - From: alessio <alessio@ifc.cnr.it>

Prev by Date: Re: upgade schema from 2.3 to 2.4
Next by Date: Re: bdb binary log files
Index(es):
- Chronological
- Thread