[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

To: hyc@symas.com (Howard Chu)
Subject: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Tue, 24 Jul 2007 21:18:24 +0200
Cc: openldap-software@openldap.org
In-reply-to: <46A5BE3F.4090500@symas.com>
User-agent: MacSOUP/2.7 (unregistered for 186 days)

Howard Chu <hyc@symas.com> wrote:

> When you run OpenLDAP's configure script you will see:
> 
> checking OpenSSL library version (CRL checking capability)... no
> 
> indicating that your OpenSSL library doesn't support it. Otherwise I suppose
> you would see in your OpenSSL release notes/docs.

Yes, I discovered HAVE_OPENSSL_CRL. The problem is that this test
validates at mine, despite OpenSSL version (0.9.7d)

configure:19757: checking OpenSSL library version (CRL checking
capability)
configure:19791: result: yes

And then if I use TLS_CRLCHECK, LDAP operation will fail:

ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I hope you'll agree with me that this is *very* misleading if CRL checks
are not supposed to work with 0.9.7d. 

> You posted your email as if it was a general solution for anybody trying to
> solve the aliased server name problem for TLS certificates. 

Quoting myself: "here is the result of my experiments"

I wouldn't call that a claim of being an authoritative guide. I posted
it there with the hope it could be useful to other looking for the piece
of information I missed. It was not perfect, but that's not a problem,
since you and other kindly pointed out the errors. If you don't
discourage me too much, I may even post an update with your comments
included.

> This part of your config is not part of that general solution, it is
> specific to your deployment. In particular, the sasl-secprops setting is a
> global option and affects all connections, whether they use TLS or not. As
> such, you are allowing users to use login/plain over cleartext connections
> as well as TLS connections. You might have taken precautions against this
> in the other parts of your slapd.conf (using the security directive)

Yes, I have this. Is it fine? 
security        simple_bind=128

> but you didn't indicate those precautions 
> anywhere in what you posted. So you will mislead anyone following your advice
> into leaving their servers quite vulnerable.

I hope people do some testing before rolling a copy/pasted configuration
in production...

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Ralf Haferkamp <rhafer@suse.de>

References:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: openldap server startup delay
Next by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Index(es):
- Chronological
- Thread