[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

To: Philip Guenther <guenther+ldaptech@sendmail.com>
Subject: Re: Syncrepl SSL fail
From: Howard Chu <hyc@symas.com>
Date: Tue, 18 Oct 2011 02:39:25 -0700
Cc: Josh Miller <joshua@itsecureadmin.com>, Hugo Deprez <hugo.deprez@gmail.com>, Quanah Gibson-Mount <quanah@zimbra.com>, openldap-technical@openldap.org
In-reply-to: <alpine.BSO.2.00.1110172128030.8269@morgaine.smi.sendmail.com>
References: <CAAoQnKjisqdHa0Pa8u5fjsUeNvJwY_fi6uJvs_T5U30ao+TG2w@mail.gmail.com> <53616BF91B701EAFA5521B0F@192.168.1.23> <2F29DB7B-BFFD-4004-951B-09EA3BF8429E@itsecureadmin.com> <F6F3F9073A6EC8597D1F5992@quanah-mac.local> <4E9A8CEC.7020403@symas.com> <CAAoQnKhcez2EsV0LXiAOu07jDAd2TKmzmDanvz90qgo3QEuT1w@mail.gmail.com> <alpine.BSO.2.00.1110172128030.8269@morgaine.smi.sendmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0a1) Gecko/20111001 Firefox/10.0a1 SeaMonkey/2.7a1

Philip Guenther wrote:

Next: the fact that you need tls_reqcert=never for TLS negotiation to
succeed strongly suggests the problem is either
a) the subject and subjectAltName of the cert don't match the hostname in
    the URL, OR
b) the client doesn't have the self-signed CA cert at the root of the
    signing chain for the server's cert.

Those are both necessary to protect the server against Man-in-the-Middle
attacks.

(It used to be that tls_reqcert=allow would disable check (b) and only
perform check (a), or at least that was the case when using the OpenSSL
crypto backend, but that behavior has apparently been removed from the
version in git as of August.  Given the vagaries of the error reporting of
the underlying crypto libraries, this was a useful tool in tracking down
which check was causing TLS failures. Oh well.)

Frankly I agree with you that the original behavior was better. As far as Irecall, though i don't believe it was never documented anywhere, the mainpoint to using ALLOW was to accept certs that were expired but otherwisecorrect. The current patch in git makes you totally defenseless against MITMattacks, and I can't see any reason why it would ever be correct to deploythis way.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>
- Re: Syncrepl SSL fail
  - From: Josh Miller <joshua@itsecureadmin.com>
- Re: Syncrepl SSL fail
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Syncrepl SSL fail
  - From: Howard Chu <hyc@symas.com>
- Re: Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>
- Re: Syncrepl SSL fail
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

Prev by Date: Overlays : Cache - Entry - AttributeDescription
Next by Date: What's the java equivalent of ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTDIR, cert_path)?
Index(es):
- Chronological
- Thread