[Fedora-directory-users] Re: certificates

Howard Chu hyc at symas.com
Thu Jan 12 17:36:13 UTC 2006 

>
> Date: Wed, 11 Jan 2006 10:36:19 -0800 (PST) From: Susan 
> <logastellus at yahoo.com>
>>> > > I thought I needed the cacert line in /etc/openldap/ldap.conf to point the
>>> > > ldap client to  the CA cert we trust,  otherwise we might not trust the
>>> > > server certificate being signed by the CA.
>>> > >
>>> > > Thanks again,
>>> > > Jo
>>> > >   
>>>       
>> > That's correct, you always need the CA cert on all of the servers and 
>> > clients. (Unless you're using anonymous cipher suites, in which case you 
>> > don't need any certs at all. But that's pretty reckless.)
>>     
>
> I have server-side, self-generated, self-signed certs.  None of those certs exist on any of the
> clients, all my ldap traffic is ssl-encrypted over 636, no problem.  Is that what you mean by
> "anonymous cipher suites"?  If so, why is that reckless?  I don't really care if the clients
> misrepresent themselves, I just care that the server doesn't.
>
> Perhaps I'm not understanding what you are saying....?
>   

Stop for a moment and think that through. If you don't configure the 
client with a set of CAs to trust, then the only way to make the TLS 
handshake work is to tell the client not to attempt to verify the 
server's cert at all. That means any server can present any ol' made up 
certificate, claiming to be any entity, and the client will just blindly 
trust it.

In other words, you have absolutely zero assurance that the server 
hasn't misrepresented itself. If someone sets up a malicious server on 
your network spoofing the real server, you will never know - you'll have 
no way to know.

Anonymous cipher suites are a separate topic; with those, no 
certificates are exchanged at all, so you only establish encryption, not 
server (or client) authentication. In OpenSSL they're disabled by 
default. Enabling them is generally a bad idea, they amount to the same 
as the above.

-- 
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

More information about the Fedora-directory-users mailing list