Re: certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
Date: Wed, 11 Jan 2006 10:36:19 -0800 (PST) From: Susan <logastellus@xxxxxxxxx> 
> > I thought I needed the cacert line in /etc/openldap/ldap.conf to point the
> > ldap client to  the CA cert we trust,  otherwise we might not trust the
> > server certificate being signed by the CA.
> >
> > Thanks again,
> > Jo
> >
> That's correct, you always need the CA cert on all of the servers and > clients. (Unless you're using anonymous cipher suites, in which case you > don't need any certs at all. But that's pretty reckless.) 

I have server-side, self-generated, self-signed certs.  None of those certs exist on any of the
clients, all my ldap traffic is ssl-encrypted over 636, no problem.  Is that what you mean by
"anonymous cipher suites"?  If so, why is that reckless?  I don't really care if the clients
misrepresent themselves, I just care that the server doesn't.

Perhaps I'm not understanding what you are saying....?
Stop for a moment and think that through. If you don't configure the client with a set of CAs to trust, then the only way to make the TLS handshake work is to tell the client not to attempt to verify the server's cert at all. That means any server can present any ol' made up certificate, claiming to be any entity, and the client will just blindly trust it.
In other words, you have absolutely zero assurance that the server hasn't misrepresented itself. If someone sets up a malicious server on your network spoofing the real server, you will never know - you'll have no way to know.
Anonymous cipher suites are a separate topic; with those, no certificates are exchanged at all, so you only establish encryption, not server (or client) authentication. In OpenSSL they're disabled by default. Enabling them is generally a bad idea, they amount to the same as the above. 

--
-- Howard Chu
Chief Architect, Symas Corp.  http://www.symas.com
Director, Highland Sun        http://highlandsun.com/hyc
OpenLDAP Core Team            http://www.openldap.org/project/


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux