On Wed, 24 Jul 2013 07:59:21 -0700 Quanah Gibson-Mount quanah@zimbra.com wrote
--On Wednesday, July 24, 2013 4:08 PM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hi!
When trying to require integrity for LDAP connections by specifying "ssf=1" in Security, I have a problem with Perl where the cat bites its tail:
It's recommended to query the root DSE for TLS extension before trying to use TLS like this:
my $dse = $ldap->root_dse();
if ($dse->supported_extension(LDAP_EXTENSION_START_TLS)) { my $msg = $ldap->start_tls('verify' => 'require', 'capath' => '/etc/ssl/certs'); ...
Personally, I just always try to startTLS regardless. Then you can decide whether or not you wish to continue after that point based on whether or not it succeeds or fails.
From RFC 2830, section 6 "Security Considerations":
Additionally, an active-intermediary attacker can remove the Start TLS extended operation from the supportedExtension attribute of the root DSE.
=> Always try startTLS at the client side if set in local configuration.
Furthermore from this section:
Therefore, both parties SHOULD independently ascertain and consent to the security level achieved once TLS is established and before beginning use of the TLS connection. For example, the security level of the TLS connection might have been negotiated down to plaintext.
So your client has to query the effective security level from the LDAP API and make a decision based on comparison to local config. Not sure which option to use in case of TLS though.
Ciao, Michael.