[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

Philip Guenther wrote:
Next: the fact that you need tls_reqcert=never for TLS negotiation to
succeed strongly suggests the problem is either
a) the subject and subjectAltName of the cert don't match the hostname in
    the URL, OR
b) the client doesn't have the self-signed CA cert at the root of the
    signing chain for the server's cert.

Those are both necessary to protect the server against Man-in-the-Middle

(It used to be that tls_reqcert=allow would disable check (b) and only
perform check (a), or at least that was the case when using the OpenSSL
crypto backend, but that behavior has apparently been removed from the
version in git as of August.  Given the vagaries of the error reporting of
the underlying crypto libraries, this was a useful tool in tracking down
which check was causing TLS failures. Oh well.)

Frankly I agree with you that the original behavior was better. As far as I recall, though i don't believe it was never documented anywhere, the main point to using ALLOW was to accept certs that were expired but otherwise correct. The current patch in git makes you totally defenseless against MITM attacks, and I can't see any reason why it would ever be correct to deploy this way.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/