Bug #6219: Is $ldap->start_tls( verify => 'none') good enough in the ldpweb.cgi? - Metacat - Ecoinformatics Redmine

Actions

Copy link

Bug #6219

closed

Is $ldap->start_tls( verify => 'none') good enough in the ldpweb.cgi?

Added by Jing Tao about 11 years ago. Updated almost 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Target version:

2.3.1

Start date:

11/14/2013

Due date:

% Done:

Estimated time:

Bugzilla-Id:

Description

Currently when the ldapweb.cgi binds the ldap server, it issue this command to start tls:

$ldap->start_tls( verify => 'none')

Is this command secure enough?

It seems verify can be 'none' | 'optional' | 'require'.

In the line 814, it is #$ldap->start_tls( verify => 'require',
#cafile => '/usr/share/ssl/ldapcerts/cacert.pem');

But they were commented out.

Actions

Copy link

Updated by Matt Jones about 11 years ago

No, it is not. That is a security bug, as it means that the SSL cert from the server may be invalid. For maximum security, it should be set to 'require'.

Actions

Copy link

Updated by ben leinfelder almost 11 years ago

Target version set to 2.3.1

Actions

Copy link

Updated by ben leinfelder almost 11 years ago

Status changed from New to Closed

Jing added 'require' to the TLS calls in the ldapweb script so I believe we are good now. Also involved configuring the CA path correctly so it knows how to verify the ldap server's identity.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Metacat

Custom queries

Bug #6219

Is $ldap->start_tls( verify => 'none') good enough in the ldpweb.cgi?

Updated by Matt Jones about 11 years ago

Updated by ben leinfelder almost 11 years ago

Updated by ben leinfelder almost 11 years ago