Peter Marschall wrote:
> On Monday, 28. May 2012, Michael StrÃder wrote:
>> Peter Marschall wrote:
>>> On Monday, 28. May 2012, Philip Guenther wrote:
>>>> On Mon, 28 May 2012, Michael StrÃder wrote:
>>>>> Peter Marschall wrote:
>>>>>> how do the openldap tools technically verfify certificates with
>>>>>> ldapi:// ?
>>>>>
>>>>> Which certs do you want to verify?
>>>>
>>>> I assume the answer is "the one the server returns when you do StartTLS
>>>> on the ldapi:// connection".
>>>
>>> Correct.
>>
>> So if the quite liberal RFC 6125 does not provide any inspiration this
>> boils down to being undefined. StartTLS over LDAPI is an unusal scenario
>> anyway.
>
> Thanks for your reply.
> It helps a bit ("looking at the issue from the standard angle"), but
> my question was how the openldap tools do it.
I think the standards are what is relevant here. The arbitrarily check for
"localhost" does not make sense because "localhost" does not sufficiently
specify the name of the server.
The server is an end entity for the CA and the CA guarantees having checked
the server's identity (or checked whether someone was authorized to request a
cert for the server's name). So I wouldn't trust any CA which issues certs for
"localhost".
=> StartTLS over LDAP is undefined and probably every API should simple refuse
it at all or accept any server cert. In both cases the underlying LDAPI
channel is fully trusted anyway.
If the client really would like to implement an additional *security* check
that a rogue attacker did not trick the client to connect to another Unix
domain socket (MITM service) checking the server's identity by matching
"localhost" also does not make sense to me.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature