Actions
Bug #6219
closedIs $ldap->start_tls( verify => 'none') good enough in the ldpweb.cgi?
Start date:
11/14/2013
Due date:
% Done:
0%
Estimated time:
Bugzilla-Id:
Description
Currently when the ldapweb.cgi binds the ldap server, it issue this command to start tls:
$ldap->start_tls( verify => 'none')
Is this command secure enough?
It seems verify can be 'none' | 'optional' | 'require'.
In the line 814, it is #$ldap->start_tls( verify => 'require',
#cafile => '/usr/share/ssl/ldapcerts/cacert.pem');
But they were commented out.
Updated by Matt Jones about 11 years ago
No, it is not. That is a security bug, as it means that the SSL cert from the server may be invalid. For maximum security, it should be set to 'require'.
Updated by ben leinfelder about 11 years ago
- Status changed from New to Closed
Jing added 'require' to the TLS calls in the ldapweb script so I believe we are good now. Also involved configuring the CA path correctly so it knows how to verify the ldap server's identity.
Actions