[Date Prev][Date Next]
Re: Reverse Lookup Server SSL Certivicate CN
At 12:46 AM 1/7/2004, firstname.lastname@example.org wrote:
>When an openLDAP client tries to verify an openLDAP server's SSL certificate, the CN is compared to the server's name as it is provided to the client.
>This is unlike the behavior of my customary authentication mechanism, kerberos, which performs a reverse lookup of the server's IP to locate it's principal.
Kerberos is broken here.
>Can openLDAP be configured to compare the certificate's CN to a reverse lookup of the server's IP?
No. But, IIRC, you can disable certificate checking all together.
Which, from a security standpoint, is no worse than checking the
certificate against information which can easily be spoofed.