[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

Howard Chu <hyc@symas.com> wrote:

> When you run OpenLDAP's configure script you will see:
> checking OpenSSL library version (CRL checking capability)... no
> indicating that your OpenSSL library doesn't support it. Otherwise I suppose
> you would see in your OpenSSL release notes/docs.

Yes, I discovered HAVE_OPENSSL_CRL. The problem is that this test
validates at mine, despite OpenSSL version (0.9.7d)

configure:19757: checking OpenSSL library version (CRL checking
configure:19791: result: yes

And then if I use TLS_CRLCHECK, LDAP operation will fail:

ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I hope you'll agree with me that this is *very* misleading if CRL checks
are not supposed to work with 0.9.7d. 

> You posted your email as if it was a general solution for anybody trying to
> solve the aliased server name problem for TLS certificates. 

Quoting myself: "here is the result of my experiments"

I wouldn't call that a claim of being an authoritative guide. I posted
it there with the hope it could be useful to other looking for the piece
of information I missed. It was not perfect, but that's not a problem,
since you and other kindly pointed out the errors. If you don't
discourage me too much, I may even post an update with your comments

> This part of your config is not part of that general solution, it is
> specific to your deployment. In particular, the sasl-secprops setting is a
> global option and affects all connections, whether they use TLS or not. As
> such, you are allowing users to use login/plain over cleartext connections
> as well as TLS connections. You might have taken precautions against this
> in the other parts of your slapd.conf (using the security directive)

Yes, I have this. Is it fine? 
security        simple_bind=128

> but you didn't indicate those precautions 
> anywhere in what you posted. So you will mislead anyone following your advice
> into leaving their servers quite vulnerable.

I hope people do some testing before rolling a copy/pasted configuration
in production...

Emmanuel Dreyfus