[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: insecure, convenient use of SSL

On Tue, 15 Apr 2008, Buchan Milne wrote:
On Friday 11 April 2008 01:42:30 Jason Dusek wrote:
 I'd like to set up LDAP command line tools to point to a server
 -- say localhost -- that has a certificate with an arbitrary
 name in it -- say `my-domain.com`.
1)Add an entry to /etc/hosts so that the name on the certificate resolves to the correct IP address, and always use the name on any connection where you want certificate validation

This should work (assuming the client has the cert of the CA that signed the server cert).

2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are using anything besides OpenLDAP software (nss_ldap,pam_ldap) be aware that their configuration is not identical ...

This isn't sufficient. "TLS_REQCERT allow" only disables the checking of the certificate validity (known CA, etc) and not the checking of the hostname in the URI vs the names in the cert. To disable the name checking too, you have to use "TLS_REQCERT never".

Such a config has no protection from MitM attacks: you'll accept any cert from any CA.

Philip Guenther

(Correcting the ldap.conf(5) manpage is ITS #4941)