[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: kill -INT corrupts database (ITS#1982)





--On Tuesday, August 27, 2002 4:27 PM -0700 Howard Chu <hyc@symas.com> wrote:

-----Original Message-----
From: owner-openldap-bugs@OpenLDAP.org
[mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
quanah@stanford.edu
Sent: Tuesday, August 27, 2002 2:45 PM

2 new questions, thought I'd run this by you before I create ITS's
on it to =

see if I'm just missing something.  Note that none of these were
problems=20
under 2.1.3.

Issue 1) Since we don't particularly want to spend several hundred
dollars=20
buying certs for our test systems, we've opted to use self-signed
certs.=20 This has worked fine until upgrading to OpenLDAP-2.1.4.  Our
primary=20 machine (ldap4), however, does have a verisign cert.
Now that we are on 2.1.4, slurpd complains that the certificates on
our=20 replicants (the self-signed ones) are expired.  I checked the
certs on the=20
replicants, and they are good until the year 2012.  Any clue why
I'm seeing this?

Note that slapd starts just fine on them and does not complain of
any TLS=20
issues.

No clue. There are no TLS changes between OpenLDAP 2.1.3 and 2.1.4 that would affect this certificate behavior. (The changes are mainly in the debug/error messages; also disabling the TLS_CACERTDIR support if the platform doesn't provide opendir().) Perhaps your OpenSSL library has changed, or your clocks are wrong.

As for the issue of self-signed certs - you're fooling yourself if you
think you've gained any security with this approach. It doesn't cost any
more money to create proper server certificates either: just use OpenSSL
to create a single self-signed CA certificate and then use that
certificate to create and sign all your other server certificates. Put
your CA's private key on removable media (I used to recommend floppy
disks, but these days they're rare enough that a CDR might be easier) and
remove it from your machine when you aren't using it to sign certs. Copy
the single CA cert to all of your servers and clients. It's really not
hard to do this right.


I'll iterate self-signed a little more.

I created a CA key & cert.
I created a CSR.
I signed the CSR.
I added the CA cert into the list of known CA's for OpenSSL.

I guess self-signed was a misuse of the word on my part. I meant more, not a cert from a commercial provider.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Attachment: pgpPPnwZTZe0S.pgp
Description: PGP signature