[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Reverse Lookup Server SSL Certivicate CN

To: ms419@freezone.co.uk
Subject: Re: Reverse Lookup Server SSL Certivicate CN
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 07 Jan 2004 13:26:19 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <03DBBD20-40EE-11D8-87A2-000A95C71776@freezone.co.uk>
References: <03DBBD20-40EE-11D8-87A2-000A95C71776@freezone.co.uk>

At 12:46 AM 1/7/2004, ms419@freezone.co.uk wrote:
>When an openLDAP client tries to verify an openLDAP server's SSL certificate, the CN is compared to the server's name as it is provided to the client.

Yes.

>This is unlike the behavior of my customary authentication mechanism, kerberos, which performs a reverse lookup of the server's IP to locate it's principal.

Kerberos is broken here.

>Can openLDAP be configured to compare the certificate's CN to a reverse lookup of the server's IP?

No. But, IIRC, you can disable certificate checking all together.
Which, from a security standpoint, is no worse than checking the
certificate against information which can easily be spoofed.

Kurt

Follow-Ups:
- Re: Reverse Lookup Server SSL Certivicate CN
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Reverse Lookup Server SSL Certivicate CN
  - From: ms419@freezone.co.uk

Prev by Date: Re: back-sql
Next by Date: Re: "I have no name!" -- for root???
Index(es):
- Chronological
- Thread