[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How to turn of SSL Hostname check?

Howard & Kurt

Thank you.  I strongly agree with you!  Certificate validation and SSL host
name checks *need* to be in place!
That said, I have no control over the ldap servers in our environment.
(And thus I have no control of the non-existant and malformed certificates
that others have setup in the past).

Netscape's SDK, iPlanet's SDK, and IBM's SDK allow you to turn off this
feature in question.  OpenLDAP's client libraries appear to provide the
same switch.  However upon testing, the flag is ignorred and can be traced
back to one line of code.

So here is my proposed patch and my defense:

Defense: If an application specifically turns off certificate checking, why
require a hostname in a nonexistant or malformed certificate?

Thanks in advance for your help.

 - Aaron

*** libraries/libldap/tls.c.orig        Sat Jan 26 14:55:02 2002
--- libraries/libldap/tls.c     Wed Oct 30 15:00:05 2002
*** 1121,1126 ****
--- 1121,1127 ----

        ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host );
        if (ld->ld_errno != LDAP_SUCCESS) {
+               if (tls_opt_require_cert)
                return ld->ld_errno;

"Howard Chu" <hyc@highlandsun.com>@OpenLDAP.org on 11/12/2002 11:05:38 PM

Sent by:    owner-openldap-bugs@OpenLDAP.org

To:    "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>, <spangla@nationwide.com>
cc:    <openldap-bugs@OpenLDAP.org>

Subject:    RE: How to turn of SSL Hostname check?

This question is coming up fairly frequently now due to the stricter
in the client library.

Let me expand on Kurt's reply, for the record - DON'T DO THIS. Before I go
into details, let me puff a bit - I've been breaking, creating, and
security systems since the mid-80's. I worked with Wietse Venema on the
version of the TCP wrappers over a decade ago, which are now a standard
component of most Unix systems today. I've worked with OpenSSL since way
when it was version 0.66 (SSLeay). I've contributed bug fixes for Kerberos,
DCE, SASL, S/Key, Tripwire, TIS, just about every security tool that's come
along, as well as created several implementations of my own. I know a thing
or two about network security.

Security experts don't come cheap. I'm going to tell you something now for
free that might otherwise cost you hundreds in consulting fees, or
god-only-knows in attack recovery costs:

Anyone who has the ability to eavesdrop on your network also has the
to inject packets onto your network. If you think you want to use SSL to
encrypt your data because you want to protect it from eavesdroppers, but
don't care about certificate verification or hostname checks, then you
as well leave everything in plaintext because anybody capable of
eavesdropping is also capable of spoofing addresses, hijacking connections,
and interposing their own rogue server into your data stream. If you bypass
the certificate verification and hostname checks, you have rendered the use
of SSL completely pointless. The cert check and hostname check protect you
from rogue servers.

So if you really think you want to turn these checks off, you might as well
save your CPU cycles and turn off SSL completely, because it isn't doing
one bit of good. On the other hand, if you really want to protect the
integrity of your network communications, you need to do it right and set
your certificates properly. You can't get "partial security," you can't do
things half way. Do it right or don't bother.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga

> At 09:54 AM 2002-11-12, spangla@nationwide.com wrote:
> >How do you turn off SSL Hostname checking?
> As security of TLS (SSL) relies on host name checking,
> no option is provided to disable host name checking.
> If you really want to disable it, you can always
> hack the code.
> Kurt