[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 2.1.22 not accepting self-signed SSL cert

To: openldap-software@OpenLDAP.org
Subject: Re: 2.1.22 not accepting self-signed SSL cert
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Tue, 04 Nov 2003 13:36:37 +0100
In-reply-to: <64513.68.35.232.20.1067493377.squirrel@mail.theoretic.com>
References: <64513.68.35.232.20.1067493377.squirrel@mail.theoretic.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

adamtheo@theoretic.com wrote:

TLSCertificateFile      /site/theoretic/ssl/key.pem
TLSCertificateKeyFile   /site/theoretic/ssl/key.pem
TLSCACertificateFile    /site/theoretic/ssl/key.pem
TLSCipherSuite HIGH:+MEDIUM:!LOW
TLSVerifyClient never

Maybe someone else has answered already - I'm a modem-occasional subscriber - but this is wrong. You have to keep to the rules and have separate public, key and CA cert files.

The (extra jolly) good reason for this, to my feeble mind, is that the server private key file has to be kept *secret*, while the public key has to be published and the CA cert file has to be readable by all clients + the server. Your method would defeat this end. Even if what you were doing were possible (à la Exim, Courier IMAPD etc.) it would be a glaring security hole and render the whole point of security via certs pointless.

--Tonni

--
Tony Earnshaw

Do not CC me or your mail will probably be rejected.
I don't like this, either. Blame it on Swen and a slow
Internet connection.

http://www.billy.demon.nl
Mail: billy-at-billy.demon.nl

Prev by Date: Re: bdb bad performance again (really need help)
Next by Date: Extended Password Operation -- Is it considered an update operation?
Index(es):
- Chronological
- Thread