[Date Prev][Date Next]
Re: insecure, convenient use of SSL
On Tue, 15 Apr 2008, Buchan Milne wrote:
On Friday 11 April 2008 01:42:30 Jason Dusek wrote:
I'd like to set up LDAP command line tools to point to a server
-- say localhost -- that has a certificate with an arbitrary
name in it -- say `my-domain.com`.
1)Add an entry to /etc/hosts so that the name on the certificate
resolves to the correct IP address, and always use the name on any
connection where you want certificate validation
This should work (assuming the client has the cert of the CA that signed
the server cert).
2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are using
anything besides OpenLDAP software (nss_ldap,pam_ldap) be aware that
their configuration is not identical ...
This isn't sufficient. "TLS_REQCERT allow" only disables the checking of
the certificate validity (known CA, etc) and not the checking of the
hostname in the URI vs the names in the cert. To disable the name
checking too, you have to use "TLS_REQCERT never".
Such a config has no protection from MitM attacks: you'll accept any cert
from any CA.
(Correcting the ldap.conf(5) manpage is ITS #4941)