[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL-ceritificate & Replication v2.1.3

To: Howard Chu <hyc@symas.com>
Subject: RE: TLS/SSL-ceritificate & Replication v2.1.3
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 24 Aug 2002 12:19:21 +0200
Cc: willday@rom.oit.gatech.edu, OpenLDAP-software@OpenLDAP.org
In-reply-to: <NMEFLNHODBAOPDKNNJALEECIDKAA.hyc@symas.com>
References: <NMEFLNHODBAOPDKNNJALEECIDKAA.hyc@symas.com>

lør, 2002-08-24 kl. 02:55 skrev Howard Chu:

> Yes, the client's default behavior was changed between 2.0 and 2.1; in 2.0
> the clients default to not verifying any certificates received from a server.
> In 2.1 the clients default to full verification of server certs. You can
> change this default if you wish, and the information is in the ldap.conf(5)
> man page. However, relaxing the client's security checks is generally a bad
> idea.

Others do please note that this "new" convention is standard practice
for all standard SSL/TLS applications - both server and client.

FreeS/WAN IPSEC VPN/Lucent/Cisco etc. peers/clients, NetscapeMozilla
browser clients, Windows VPN clients, Exim MTA running ldaps LDAP
directory and authorisation lookups via /etc/ldap.conf, *everything* in
practice, needs to have access to be able to read the CA certificate
that signed the server's certificate request, or to accept without
question the server's CA-signed public key. One single CA certificate
can suffice for a whole organization with thousands of nodes, or for a
LAN with only a couuple.

The ways of doing this are varied. The (always readable) CA certificate
in question can either be copied to a readable directory on the machine
in question, it can be propagated by means of a so-called PKCS#12
certificate bundle, it can be built into Netscape/Mozilla's cert7.db,
etc. etc. 

In actual fact it goes far deeper than this in practice, with CA
certificate chains, CAs being able to revoke individual public key
certificates, advertise certificate revoke lists and more.

Individual, self-signed server certificates should definitely be
regarded as something from the past and not acceptable any more. From a
security point of view, they're useless - only useful for encryption.

Best,

Tony


-- 

Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel

References:
- RE: TLS/SSL-ceritificate & Replication v2.1.3
  - From: "Howard Chu" <hyc@symas.com>

Prev by Date: RE: Change Announcements (was Re: TLS/SSL-ceritificate & Replication v2.1.3)
Next by Date: Re: encoding problems
Index(es):
- Chronological
- Thread