Peter Marschall wrote:
On Monday, 28. May 2012, Michael Ströder wrote:
Peter Marschall wrote:
On Monday, 28. May 2012, Philip Guenther wrote:
On Mon, 28 May 2012, Michael Ströder wrote:
Peter Marschall wrote:
how do the openldap tools technically verfify certificates with ldapi:// ?
Which certs do you want to verify?
I assume the answer is "the one the server returns when you do StartTLS on the ldapi:// connection".
Correct.
So if the quite liberal RFC 6125 does not provide any inspiration this boils down to being undefined. StartTLS over LDAPI is an unusal scenario anyway.
Thanks for your reply. It helps a bit ("looking at the issue from the standard angle"), but my question was how the openldap tools do it.
I think the standards are what is relevant here. The arbitrarily check for "localhost" does not make sense because "localhost" does not sufficiently specify the name of the server.
The server is an end entity for the CA and the CA guarantees having checked the server's identity (or checked whether someone was authorized to request a cert for the server's name). So I wouldn't trust any CA which issues certs for "localhost".
=> StartTLS over LDAP is undefined and probably every API should simple refuse it at all or accept any server cert. In both cases the underlying LDAPI channel is fully trusted anyway.
If the client really would like to implement an additional *security* check that a rogue attacker did not trick the client to connect to another Unix domain socket (MITM service) checking the server's identity by matching "localhost" also does not make sense to me.
Ciao, Michael.