520234 – net-nds/openldap-2.4.38-r2: Sub-optimal default recommended for self-signed certificate case

Bug 520234 - net-nds/openldap-2.4.38-r2: Sub-optimal default recommended for self-signed certificate case

Summary: net-nds/openldap-2.4.38-r2: Sub-optimal default recommended for self-signed c...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo LDAP project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-08-19 07:29 UTC by Walter
Modified:	2014-10-12 06:28 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
screenshot of insecure advice (openldap-fail.jpg,116.10 KB, image/jpeg) 2014-08-19 07:29 UTC, Walter	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Walter 2014-08-19 07:29:18 UTC

Created attachment 383104 [details]
screenshot of insecure advice

I could be missing something here, but I fear not.

When installing openldap it recommends adding 'TLS_REQCERT never' if you want to use self-signed certificates.

As far as I can see, this is a very insecure option to enable and definitely *not* something that should be recommended.

What this actually does is completely avoid BOTH of the following checks:

(1) Certificate Authority (CA) based validation of the self-signed certificate.
(2) Completely disables CN checking against the remote server.

Together, this facilitates man in the middle attacks as well as accidents like simply connecting to the wrong host. (For some discussion of this 'feature', see http://www.openldap.org/lists/openldap-software/200903/msg00148.html )

I would hazard a guess that the 'right way' to set up self-signed certificates is to properly install the CA from which the self-signed certificate was issued, so that they pass validation. This way you get CN=hostname validation and use of your validated self-signed certificate (ie. nominally secure X.509 infrastructure) without having to pay random third parties money. It could even be argued that this is more secure than the default of trusting outside signatures.

This approach is probably best if you control the other end of the connection as well (and a lot of internal infrastructure to many organizations is probably like this).

PS. Tried to visit http://www.gentoo.org/security/en/#doc_chap3 but got "The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."... erp!

Comment 1 Alex Legler (RETIRED) archtester

2014-08-19 07:49:38 UTC

(In reply to Walter from comment #0)
> As far as I can see, this is a very insecure option to enable and definitely
> *not* something that should be recommended.

It's a general notice: "If you want X, you'll have to do Y." I don't really see a 'recommendation' here.

At any rate, no vulnerability that security@ deals with. Assigning to maintainers if they want to adjust the wording.

> […]
> 
> PS. Tried to visit http://www.gentoo.org/security/en/#doc_chap3 but got "The
> server is temporarily unable to service your request due to maintenance
> downtime or capacity problems. Please try again later."... erp!

PS. One issue per bug, please.

Comment 2 Walter 2014-08-19 07:59:16 UTC

> It's a general notice: "If you want X, you'll have to do Y."

Yes, the thing is that Y is insecure and there are better options.

> I don't really see a 'recommendation' here.

Err, really? I'm not sure what else it could be called...

Comment 3 Walter 2014-08-19 08:03:04 UTC

To be clear, the referenced site suggests "TLS_REQCERT allow" as a better alternative (allows self-signed certs by skipping CA check, but does CN checking).

Comment 4 Robin Johnson archtester

2014-10-12 06:28:18 UTC

Fixed in 2.4.40