In the ldap.conf man page I can read:
... TLS_REQCERT <level> ... never The client will not request or check any server certificate. ...
In this case the ldaps:// connection will be encrypted anyway? Isn't it?
Ciao A
On Thu, 19 Mar 2009, alessio wrote:
In the ldap.conf man page I can read: ... TLS_REQCERT <level> ... never The client will not request or check any server certificate.
This description in the manpage is incorrect (c.f ITS 4941). Setting TLS_REQCERT actually just disables the client's check that the name from the URI matches the cert's subjectAltName values or CN.
In this case the ldaps:// connection will be encrypted anyway? Isn't it?
It'll be encrypted, but with no protection from man-in-the-middle attacks, or even detection of simple misconfigurations (CNAME pointing at wrong host, etc).
"TLS_REQCERT allow" is only slightly better, doing the name check (so some misconfigs will be caught) but still skipping the check for a known CA, so it's still vulnerable to MitM attacks. If you're going to go to the trouble to use TLS, why not distribute the certs and do it right?
Philip Guenther
openldap-software@openldap.org