[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8477) OpenLDAP.org has a broken TLS certificate

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8477) OpenLDAP.org has a broken TLS certificate
From: demiobenour@gmail.com
Date: Thu, 11 Aug 2016 04:53:40 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Wed, 2016-08-10 at 21:13 +0100, Howard Chu wrote:
> demiobenour@gmail.com wrote:
> > 
> > Full_Name: Demi Obenour
> > Version: N/A
> > OS: N/A
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (2601:840:8100:6720:2ae3:47ff:fe02:d99e)
> > 
> > 
> > OpenLDAP.org has an expired self-signed TLS certificate,
> 
> This is intentional.
> 
> > 
> > which makes it
> > impossible to securely access the Git repositories over HTTPS.
> 
> The repos are only intended to be used via git: and http: anyway.
> 
> Â Â Â This needs to be
> > 
> > fixed to avoid man-in-the-middle attacks, which would allow
> > arbitrary code
> > execution on the developer's machine.
> 
> When I discussed this with Kurt, we decided to leave things as-is.
> ReplacingÂ 
> an expired self-signed cert with a non-expired self-signed cert
> wouldn'tÂ 
> change anything, you still need to set an explicit exception in your
> client toÂ 
> trust the cert.
> 
Why are the repos only intended to be used via git: and http: ? Â Is
there some reason? Â This makes them unusable for anyone who cares about
security.

In the past http:// and https:// used an old dumb protocol that was
slow, but that has long since been fixed in Git.

Also, why the self-signed certificate at all? Â Let's Encrypt is
providing free certificates.

Prev by Date: Re: (ITS#8477) OpenLDAP.org has a broken TLS certificate
Next by Date: (ITS#8478) Master/Slave Replication not catching up if syncrepl config is defined before the replication user exist
Index(es):
- Chronological
- Thread