Project

General

Profile

Actions
Copy link

Bug #6219

closed

Is $ldap->start_tls( verify => 'none') good enough in the ldpweb.cgi?

Added by Jing Tao over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
2.3.1
Start date:
11/14/2013
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:

Description

Currently when the ldapweb.cgi binds the ldap server, it issue this command to start tls:

$ldap->start_tls( verify => 'none')

Is this command secure enough?

It seems verify can be 'none' | 'optional' | 'require'.

In the line 814, it is #$ldap->start_tls( verify => 'require',
#cafile => '/usr/share/ssl/ldapcerts/cacert.pem');

But they were commented out.

Actions
Copy link
 #1

Updated by Matt Jones over 9 years ago

No, it is not. That is a security bug, as it means that the SSL cert from the server may be invalid. For maximum security, it should be set to 'require'.

Actions
Copy link
 #2

Updated by ben leinfelder over 9 years ago

  • Target version set to 2.3.1
Actions
Copy link
 #3

Updated by ben leinfelder over 9 years ago

  • Status changed from New to Closed

Jing added 'require' to the TLS calls in the ldapweb script so I believe we are good now. Also involved configuring the CA path correctly so it knows how to verify the ldap server's identity.

Actions
Copy link

Also available in: Atom PDF