[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tlsverifyclient security implications

Josh.Mullis@cox.com wrote:

..."If the client does not send a certificate, it can still connect."

Does that mean that traffic is still encrypted if a certificate is not used?

Yes. Certificates are only for authentication, not encrypting the traffic. Usually only servers have certificates, so that clients can verify they are talking to the server they expected, and not being spoofed. Client certificates are very useful to allow the server to verify a client's identity, but there are obviously many other mechanisms for that as well.

----- Original Message -----
From: Emmanuel Dreyfus<manu@netbsd.org>
To: Mullis, Josh (CCI-Atlanta); openldap-software@openldap.org<openldap-software@openldap.org>
Sent: Sun Aug 23 02:59:05 2009
Subject: Re: tlsverifyclient security implications

Josh Mullis<josh.mullis@cox.com>  wrote:

What are the security implications concerning the following setting in
tlsverifyclient allow

As far as I understand, if the client sends a certificate, then slapd
can use it to map client to a LDAP DN, like this:
authz-regexp    cn=foo uid=foo,dc=example,dc=net

If the client does not send a certificate, it can still connect.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/