[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Reverse Lookup Server SSL Certivicate CN

At 12:46 AM 1/7/2004, ms419@freezone.co.uk wrote:
>When an openLDAP client tries to verify an openLDAP server's SSL certificate, the CN is compared to the server's name as it is provided to the client.


>This is unlike the behavior of my customary authentication mechanism, kerberos, which performs a reverse lookup of the server's IP to locate it's principal.

Kerberos is broken here.

>Can openLDAP be configured to compare the certificate's CN to a reverse lookup of the server's IP?

No. But, IIRC, you can disable certificate checking all together.
Which, from a security standpoint, is no worse than checking the
certificate against information which can easily be spoofed.