[Date Prev][Date Next]
RE: Problems with SSL certification on openldap 2.1.3
You can configure your clients to ignore any server security checks.
But for a little perspective on why these checks are important, consider
how Microsoft botched things in Internet Explorer:
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw
> Sent: Friday, August 16, 2002 2:09 PM
> To: Eduardo Fernandes Piva
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: Problems with SSL certification on openldap 2.1.3
> fre, 2002-08-16 kl. 20:59 skrev Eduardo Fernandes Piva:
> > TLS_CACERT /usr/share/ssl/certs/ca.cert
> > Is there any way to use SSL without my clients needing to do
> that? It's a
> > private network and I'm using self-signed certificates.
> The whole point about a CA certificate is that it MUST be available to
> the clients. Otherwise, what warranty does the client have that the
> server is who it says it is? That's what the certificate is for. It is
> from one who guarantees that the "bearer" is bonafide, like a passport
> or a driver's license.
> The only certificate that the clients MUST not see, is the server's
> private key, since that's the basis for the server's encryption and
> message digests.
> Openssl, as well as browsers such as Netscape, Mozilla, and MS Explorer,
> are delivered with a list of certificates from known Certificate
> Authorities. You yourself can view the browser certs in the browser
> itself. But you can't find your own self-signed CA certificate there,
> unless you import it first (which you have the choice of doing). If you
> import it, you're saying as much as "I trust the issuer".
> You can't view the CA certificates in Openssl, since they're hard coded
> in - but if you compile your own Openssl, you'll see, near the end of
> the compile, a list of the built-in certs it has.
> A good info site used to be the South African Thawte, but since it's
> been taken over by Verisign, it's turned into a kind of street booth.
> You could try www.rsasecurity.com - and read the PKI FAQ. You'll need
> that anyway, if you're serious about encryption :-)
> Tony Earnshaw
> The usefulness of RTFM is vastly overrated.
> e-post: firstname.lastname@example.org
> www: http://www.billy.demon.nl
> gpg public key: http://www.billy.demon.nl/tonni.armor
> Telefoon: (+31) (0)172 530428
> Mobiel: (+31) (0)6 51153356
> GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981