[Date Prev][Date Next]
Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Howard Chu <email@example.com> wrote:
> When you run OpenLDAP's configure script you will see:
> checking OpenSSL library version (CRL checking capability)... no
> indicating that your OpenSSL library doesn't support it. Otherwise I suppose
> you would see in your OpenSSL release notes/docs.
Yes, I discovered HAVE_OPENSSL_CRL. The problem is that this test
validates at mine, despite OpenSSL version (0.9.7d)
configure:19757: checking OpenSSL library version (CRL checking
configure:19791: result: yes
And then if I use TLS_CRLCHECK, LDAP operation will fail:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I hope you'll agree with me that this is *very* misleading if CRL checks
are not supposed to work with 0.9.7d.
> You posted your email as if it was a general solution for anybody trying to
> solve the aliased server name problem for TLS certificates.
Quoting myself: "here is the result of my experiments"
I wouldn't call that a claim of being an authoritative guide. I posted
it there with the hope it could be useful to other looking for the piece
of information I missed. It was not perfect, but that's not a problem,
since you and other kindly pointed out the errors. If you don't
discourage me too much, I may even post an update with your comments
> This part of your config is not part of that general solution, it is
> specific to your deployment. In particular, the sasl-secprops setting is a
> global option and affects all connections, whether they use TLS or not. As
> such, you are allowing users to use login/plain over cleartext connections
> as well as TLS connections. You might have taken precautions against this
> in the other parts of your slapd.conf (using the security directive)
Yes, I have this. Is it fine?
> but you didn't indicate those precautions
> anywhere in what you posted. So you will mislead anyone following your advice
> into leaving their servers quite vulnerable.
I hope people do some testing before rolling a copy/pasted configuration