[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls_reqcert never

On Thu, 19 Mar 2009, alessio wrote:
> In the ldap.conf man page I can read:
> ...
> TLS_REQCERT <level>
> ...
>     never  The  client will not request or check any server certificate.

This description in the manpage is incorrect (c.f ITS 4941).  Setting 
TLS_REQCERT actually just disables the client's check that the name from 
the URI matches the cert's subjectAltName values or CN.

> In this case the ldaps:// connection will be encrypted anyway? Isn't it?

It'll be encrypted, but with no protection from man-in-the-middle attacks, 
or even detection of simple misconfigurations (CNAME pointing at wrong 
host, etc).

"TLS_REQCERT allow" is only slightly better, doing the name check (so some 
misconfigs will be caught) but still skipping the check for a known CA, so 
it's still vulnerable to MitM attacks.  If you're going to go to the 
trouble to use TLS, why not distribute the certs and do it right?

Philip Guenther