[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem verifying self signed certificate

To: Villy Kruse <vek@pharmapartners.nl>
Subject: Re: Problem verifying self signed certificate
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 05 Sep 2005 09:03:54 -0700
Cc: Peter Marschall <peter@adpm.de>, James Wilde <james_wilde@glocalnet.com>, openldap-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.58.0509050856310.635@station02.ohout.pharmapart ners.nl>
References: <5F6B0055276D6E4881966897D19A45E201C7D401@brimo.glocalnet.com> <200509041745.30804.peter@adpm.de> <6.2.1.2.0.20050904102904.0586d688@mail.openldap.org> <Pine.LNX.4.58.0509050856310.635@station02.ohout.pharmapartners.nl>

At 11:59 PM 9/4/2005, Villy Kruse wrote:
>On Sun, 4 Sep 2005, Kurt D. Zeilenga wrote:
>
>> Date: Sun, 04 Sep 2005 10:51:16 -0700
>> From: Kurt D. Zeilenga <Kurt@OpenLDAP.org>
>> To: Peter Marschall <peter@adpm.de>
>> Cc: James Wilde <james_wilde@glocalnet.com>,
>>     openldap-software@OpenLDAP.org
>> Subject: Re: Problem verifying self signed certificate
>>
>> At 08:45 AM 9/4/2005, Peter Marschall wrote:
>> >AFAIK this is expected behaviour as you cannot use a self-signed server
>> >certificate with openLDAP.
>>
>> Have you examined the certificate at ldap.openldap.org?
>> It's a self-signed certificate.
>>
>
>A self signed certificate cannot be verified.

OpenLDAP can and does (through OpenSSL + libldap checks) verify
that the server provided certificate, whether self-signed
or CA-signed, is one which it has been configured to trust.

>For that you will need
>the certificate to be signed by a trusted CA.

If you use CA-signed server certificates, you configure
the client with a trusted CA certificate.

If you use self-signed server certificates, you configure
the client with the trusted server certificate.

>However, a selfsigned
>certificate can be used to establish an encrypted connection.

In either case, the server provided certificate is verified
as one which the client has been configured to trust.

Of course, inappropriately trusting a certificate (in
either case) unwisely opens the door to attack.  In my
example, the successful verification in the second session
indicates that the client is talking to the same
server as in the first session.  Obvoiusly, client
could been talking to a rogue server during both
sessions as I never verified the certificate as being
the correct one, I just assumed it was.  Likewise,
if I had trusted some CA certificate without verifying 
ts worthiness, that CA and all of the certificates it
issued could be rogue.

Point here is that OpenLDAP (through OpenSSL and
libldap checks) does verifying the server provided
certificate is one that it was configured to trust
regardless of worthiness of the trust.

Kurt

References:
- Problem verifying self signed certificate
  - From: "James Wilde" <james_wilde@glocalnet.com>
- Re: Problem verifying self signed certificate
  - From: Peter Marschall <peter@adpm.de>
- Re: Problem verifying self signed certificate
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Problem verifying self signed certificate
  - From: Villy Kruse <vek@pharmapartners.nl>

Prev by Date: RE: Problem verifying self signed certificate
Next by Date: Re: Glue, relay, chain, rwm, meta - which one?
Index(es):
- Chronological
- Thread