Project

General

Profile

Bug #6219

Is $ldap->start_tls( verify => 'none') good enough in the ldpweb.cgi?

Added by Jing Tao over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
11/14/2013
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:

Description

Currently when the ldapweb.cgi binds the ldap server, it issue this command to start tls:

$ldap->start_tls( verify => 'none')

Is this command secure enough?

It seems verify can be 'none' | 'optional' | 'require'.

In the line 814, it is #$ldap->start_tls( verify => 'require',
#cafile => '/usr/share/ssl/ldapcerts/cacert.pem');

But they were commented out.

History

#1 Updated by Matt Jones over 5 years ago

No, it is not. That is a security bug, as it means that the SSL cert from the server may be invalid. For maximum security, it should be set to 'require'.

#2 Updated by ben leinfelder over 5 years ago

  • Target version set to 2.3.1

#3 Updated by ben leinfelder over 5 years ago

  • Status changed from New to Closed

Jing added 'require' to the TLS calls in the ldapweb script so I believe we are good now. Also involved configuring the CA path correctly so it knows how to verify the ldap server's identity.

Also available in: Atom PDF