[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: insecure, convenient use of SSL

On Tuesday 15 April 2008 15:23:11 kevin montuori wrote:
> >>>>> "BM" == Buchan Milne <bgmilne@staff.telkomsa.net> writes:
>  >>
>  >> I'd like to set up LDAP command line tools to point to a server
>  >> -- say localhost -- that has a certificate with an arbitrary
>  >> name in it -- say `my-domain.com`.
>  BM> Either:
>  BM> 1)Add an entry to /etc/hosts so that the name on the certificate
>  BM> resolves to the correct IP address, and always use the name on
>  BM> any connection where you want certificate validation or
>  BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are
>  BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be
>  BM> aware that their configuration is not identical ...
> or, if you can, use the subjectAltName certificate extension.  see the
> administrator's guide, 14.1.1.  works as expected and there's no funky
> client side configuration required.

This solution assumes that you can change the cert (and even if you can, 
whether the CA supports/allows the subject alternative name extension), which 
is not necessarily a good assumption to make.