At 11:59 PM 9/4/2005, Villy Kruse wrote: >On Sun, 4 Sep 2005, Kurt D. Zeilenga wrote: > >> Date: Sun, 04 Sep 2005 10:51:16 -0700 >> From: Kurt D. Zeilenga <[EMAIL PROTECTED]> >> To: Peter Marschall <[EMAIL PROTECTED]> >> Cc: James Wilde <[EMAIL PROTECTED]>, >> [email protected] >> Subject: Re: Problem verifying self signed certificate >> >> At 08:45 AM 9/4/2005, Peter Marschall wrote: >> >AFAIK this is expected behaviour as you cannot use a self-signed server >> >certificate with openLDAP. >> >> Have you examined the certificate at ldap.openldap.org? >> It's a self-signed certificate. >> > >A self signed certificate cannot be verified.
OpenLDAP can and does (through OpenSSL + libldap checks) verify that the server provided certificate, whether self-signed or CA-signed, is one which it has been configured to trust. >For that you will need >the certificate to be signed by a trusted CA. If you use CA-signed server certificates, you configure the client with a trusted CA certificate. If you use self-signed server certificates, you configure the client with the trusted server certificate. >However, a selfsigned >certificate can be used to establish an encrypted connection. In either case, the server provided certificate is verified as one which the client has been configured to trust. Of course, inappropriately trusting a certificate (in either case) unwisely opens the door to attack. In my example, the successful verification in the second session indicates that the client is talking to the same server as in the first session. Obvoiusly, client could been talking to a rogue server during both sessions as I never verified the certificate as being the correct one, I just assumed it was. Likewise, if I had trusted some CA certificate without verifying ts worthiness, that CA and all of the certificates it issued could be rogue. Point here is that OpenLDAP (through OpenSSL and libldap checks) does verifying the server provided certificate is one that it was configured to trust regardless of worthiness of the trust. Kurt
