[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8477) OpenLDAP.org has a broken TLS certificate

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8477) OpenLDAP.org has a broken TLS certificate
From: hyc@symas.com
Date: Wed, 10 Aug 2016 20:14:06 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

demiobenour@gmail.com wrote:
> Full_Name: Demi Obenour
> Version: N/A
> OS: N/A
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2601:840:8100:6720:2ae3:47ff:fe02:d99e)
>
>
> OpenLDAP.org has an expired self-signed TLS certificate,

This is intentional.

> which makes it
> impossible to securely access the Git repositories over HTTPS.

The repos are only intended to be used via git: and http: anyway.

   This needs to be
> fixed to avoid man-in-the-middle attacks, which would allow arbitrary code
> execution on the developer's machine.

When I discussed this with Kurt, we decided to leave things as-is. Replacing 
an expired self-signed cert with a non-expired self-signed cert wouldn't 
change anything, you still need to set an explicit exception in your client to 
trust the cert.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8477) OpenLDAP.org has a broken TLS certificate
Next by Date: Re: (ITS#8477) OpenLDAP.org has a broken TLS certificate
Index(es):
- Chronological
- Thread