[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting SSL/TSL to work



I don't know OpenSSL well so I'm guessing a bit here, but --

> I'm not getting anyone to issue a certificate for my server (I can't
> pay it, it's not important yet), so, I'm making self-signed
> certificates.

I have no idea if that works, nor if TLSCACertificateFile should be
absent or refer to that certificate.  Anyway, try a self-signed CA
certificate instead, and sign the server certificate with that.  That
works for us.

> Common Name (eg, YOUR name) []:master.pupeno.com
> (...)
> I was told that the DN must match my server's, but I'm not sure how to
> achieve that.

It's the Common Name above which must match your server name.  And you
must connect the server using that name, not e.g. with the IP address or
just 'master' or 'localhost', otherwhise the client should refuse the
connection due to server name mismatch.  If your server has several
names which clients might use, e.g. also a CNAME ldap.pupeno.com, you
can put the alternate names in the X509v3 extension subjectAltName
(X509v3 Subject Alternative Name).

>> Similarly, put TLS_CACERT or TLS_CACERTDIR in 
>> ldap.conf so the clients can verify the server certificate, though that
>> does not affect slapd startup.
>
> I'll do that latter, when I get the server to start. Why does the
> clients need the certificates?,

Well, you can turn off client-side server certificate validation, but...

> Konqueror doesn't need any certificate to access a web on the https
> protocol.

an attacker can hijack the connection when you connect, and then you
negotiate an encrypted connection with a hostile server.  You detect
that by checking the server certificate, including that its hostname
matches the hostname you intended to connect to.

>> If that's not it, check that the user which slapd runs as (e.g. if you
>> use slapd -u <user>) has read access to the certificate and key files.
>
> For this testings, they are currently readable by all. When I start
> doing some security, I'll take a look at this.

Hide the certificate key at once, at least.  No good to hide it tomorrow
if someone copies it today.

-- 
Hallvard