Date: Wed, 11 Jan 2006 10:36:19 -0800 (PST) From: Susan
<[EMAIL PROTECTED]>
> > I thought I needed the cacert line in /etc/openldap/ldap.conf to point the
> > ldap client to the CA cert we trust, otherwise we might not trust the
> > server certificate being signed by the CA.
> >
> > Thanks again,
> > Jo
> >
> That's correct, you always need the CA cert on all of the servers and
> clients. (Unless you're using anonymous cipher suites, in which case you
> don't need any certs at all. But that's pretty reckless.)
I have server-side, self-generated, self-signed certs. None of those certs
exist on any of the
clients, all my ldap traffic is ssl-encrypted over 636, no problem. Is that
what you mean by
"anonymous cipher suites"? If so, why is that reckless? I don't really care
if the clients
misrepresent themselves, I just care that the server doesn't.
Perhaps I'm not understanding what you are saying....?
Stop for a moment and think that through. If you don't configure the
client with a set of CAs to trust, then the only way to make the TLS
handshake work is to tell the client not to attempt to verify the
server's cert at all. That means any server can present any ol' made up
certificate, claiming to be any entity, and the client will just blindly
trust it.
In other words, you have absolutely zero assurance that the server
hasn't misrepresented itself. If someone sets up a malicious server on
your network spoofing the real server, you will never know - you'll have
no way to know.
Anonymous cipher suites are a separate topic; with those, no
certificates are exchanged at all, so you only establish encryption, not
server (or client) authentication. In OpenSSL they're disabled by
default. Enabling them is generally a bad idea, they amount to the same
as the above.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
