Re: insecure, convenient use of SSL

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

On Tue, 15 Apr 2008, Buchan Milne wrote:
> On Friday 11 April 2008 01:42:30 Jason Dusek wrote:
> >  I'd like to set up LDAP command line tools to point to a server
> >  -- say localhost -- that has a certificate with an arbitrary
> >  name in it -- say `my-domain.com`.
...
> Either:
> 1)Add an entry to /etc/hosts so that the name on the certificate 
> resolves to the correct IP address, and always use the name on any 
> connection where you want certificate validation

This should work (assuming the client has the cert of the CA that signed 
the server cert).


> or
> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are using 
> anything besides OpenLDAP software (nss_ldap,pam_ldap) be aware that 
> their configuration is not identical ...

This isn't sufficient.  "TLS_REQCERT allow" only disables the checking of 
the certificate validity (known CA, etc) and not the checking of the 
hostname in the URI vs the names in the cert.  To disable the name 
checking too, you have to use "TLS_REQCERT never".

Such a config has no protection from MitM attacks: you'll accept any cert 
from any CA.


Philip Guenther

(Correcting the ldap.conf(5) manpage is ITS #4941)