Created attachment 383104 [details] screenshot of insecure advice I could be missing something here, but I fear not. When installing openldap it recommends adding 'TLS_REQCERT never' if you want to use self-signed certificates. As far as I can see, this is a very insecure option to enable and definitely *not* something that should be recommended. What this actually does is completely avoid BOTH of the following checks: (1) Certificate Authority (CA) based validation of the self-signed certificate. (2) Completely disables CN checking against the remote server. Together, this facilitates man in the middle attacks as well as accidents like simply connecting to the wrong host. (For some discussion of this 'feature', see http://www.openldap.org/lists/openldap-software/200903/msg00148.html ) I would hazard a guess that the 'right way' to set up self-signed certificates is to properly install the CA from which the self-signed certificate was issued, so that they pass validation. This way you get CN=hostname validation and use of your validated self-signed certificate (ie. nominally secure X.509 infrastructure) without having to pay random third parties money. It could even be argued that this is more secure than the default of trusting outside signatures. This approach is probably best if you control the other end of the connection as well (and a lot of internal infrastructure to many organizations is probably like this). PS. Tried to visit http://www.gentoo.org/security/en/#doc_chap3 but got "The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."... erp!
(In reply to Walter from comment #0) > As far as I can see, this is a very insecure option to enable and definitely > *not* something that should be recommended. It's a general notice: "If you want X, you'll have to do Y." I don't really see a 'recommendation' here. At any rate, no vulnerability that security@ deals with. Assigning to maintainers if they want to adjust the wording. > […] > > PS. Tried to visit http://www.gentoo.org/security/en/#doc_chap3 but got "The > server is temporarily unable to service your request due to maintenance > downtime or capacity problems. Please try again later."... erp! PS. One issue per bug, please.
> It's a general notice: "If you want X, you'll have to do Y." Yes, the thing is that Y is insecure and there are better options. > I don't really see a 'recommendation' here. Err, really? I'm not sure what else it could be called...
To be clear, the referenced site suggests "TLS_REQCERT allow" as a better alternative (allows self-signed certs by skipping CA check, but does CN checking).
Fixed in 2.4.40