[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8477) OpenLDAP.org has a broken TLS certificate
On Wed, 2016-08-10 at 21:13 +0100, Howard Chu wrote:
> demiobenour@gmail.com wrote:
> >
> > Full_Name: Demi Obenour
> > Version: N/A
> > OS: N/A
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (2601:840:8100:6720:2ae3:47ff:fe02:d99e)
> >
> >
> > OpenLDAP.org has an expired self-signed TLS certificate,
>
> This is intentional.
>
> >
> > which makes it
> > impossible to securely access the Git repositories over HTTPS.
>
> The repos are only intended to be used via git: and http: anyway.
>
> Â Â Â This needs to be
> >
> > fixed to avoid man-in-the-middle attacks, which would allow
> > arbitrary code
> > execution on the developer's machine.
>
> When I discussed this with Kurt, we decided to leave things as-is.
> ReplacingÂ
> an expired self-signed cert with a non-expired self-signed cert
> wouldn'tÂ
> change anything, you still need to set an explicit exception in your
> client toÂ
> trust the cert.
>
Why are the repos only intended to be used via git: and http: ? Â Is
there some reason? Â This makes them unusable for anyone who cares about
security.
In the past http:// and https:// used an old dumb protocol that was
slow, but that has long since been fixed in Git.
Also, why the self-signed certificate at all? Â Let's Encrypt is
providing free certificates.