-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Apr 19, 2009 at 11:08:11PM +0200, Ronny Aasen wrote: > Jonas Smedegaard wrote: >> On Sun, Apr 19, 2009 at 09:31:26PM +0200, Ronny Aasen wrote: >> >>> Andreas Schockenhoff wrote:
>>>> Unfortunately ldap is broken in cd-lenny-test-dvd because the >>>> ssl certificate of the ldapserver seams lost. >>> danielsan told me the reason may be that the ssl directory may not >>> be accessible to others. something like chmod o+x /etc/ldap/ssl >>> might help on that. >>> >> >> Perhaps it is inaccessible for a good reason, and your proposed >> change creates a locally exploitable security hole: >> >> If the file contains only a public certificate there should be no >> security issue in making it world readable. But if the file contains >> the private key then it should *not* be revealed to others. >> >> It does not matter for security (only for trust) if the certificate >> is self-signed or not: SSL in essentially insecure if private key is >> not kept private! >> > > that is actaly the directory containing the cert and key. and the key > is only readably by root. Ah, ok. Makes sense, then. - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknrm5AACgkQn7DbMsAkQLgwYACgjJ/zTWq9FXspe1QxnHDStLqB ONcAnijf7MV2aWLwXgCrEwSzBSdWMw/c =BVHl -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
