[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7045) "ldapsearch -Z" should continue using TLS one cert mis-match

Full_Name: Jason Haar
Version: 2.4.21
OS: Fedora
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

As you know, LDAP passwords are sent in cleartext unless TLS or SASL are used.

However, "ldapsearch -Z" will fall-back onto cleartext if any form of TLS error
occurs, even the non-fatal "TLS: hostname does not match CN in peer certificate"

i.e. TLS is attempted, the hostname doesn't match, so ldapsearch tries again not
using TLS!

This seems wasteful to me. It is still *more secure* to continue the encrypted
TLS session than to fallback onto cleartext. Web browsers are a good example of
this: if you connect to a self-signed https site, you can choose to continue -
as untrusted https is still secured against other attackers. 

If a user wants to guarantee the trustworthiness of their ldapsearch session,
they can use "-ZZ" to achieve that - but I can't see any reason to stop people
using "-Z" if they want to?

(I'm using ldapsearch to dump Active Directory LDAP data via the DNS round-robin
entry for the domain name: as such the LDAP host *never* matches the hostname
DNS round-robin gives back - and I don't care - I just don't want the network
group sniffing my password ;-)