[Date Prev][Date Next]
Re: insecure, convenient use of SSL
On Tuesday 15 April 2008 15:23:11 kevin montuori wrote:
> >>>>> "BM" == Buchan Milne <firstname.lastname@example.org> writes:
> >> I'd like to set up LDAP command line tools to point to a server
> >> -- say localhost -- that has a certificate with an arbitrary
> >> name in it -- say `my-domain.com`.
> BM> Either:
> BM> 1)Add an entry to /etc/hosts so that the name on the certificate
> BM> resolves to the correct IP address, and always use the name on
> BM> any connection where you want certificate validation or
> BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are
> BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be
> BM> aware that their configuration is not identical ...
> or, if you can, use the subjectAltName certificate extension. see the
> administrator's guide, 14.1.1. works as expected and there's no funky
> client side configuration required.
This solution assumes that you can change the cert (and even if you can,
whether the CA supports/allows the subject alternative name extension), which
is not necessarily a good assumption to make.