Summary: | net-nds/openldap-2.4.38-r2: Sub-optimal default recommended for self-signed certificate case | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Walter <walter> |
Component: | [OLD] Server | Assignee: | Gentoo LDAP project <ldap-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | screenshot of insecure advice |
Description
Walter
2014-08-19 07:29:18 UTC
(In reply to Walter from comment #0) > As far as I can see, this is a very insecure option to enable and definitely > *not* something that should be recommended. It's a general notice: "If you want X, you'll have to do Y." I don't really see a 'recommendation' here. At any rate, no vulnerability that security@ deals with. Assigning to maintainers if they want to adjust the wording. > […] > > PS. Tried to visit http://www.gentoo.org/security/en/#doc_chap3 but got "The > server is temporarily unable to service your request due to maintenance > downtime or capacity problems. Please try again later."... erp! PS. One issue per bug, please. > It's a general notice: "If you want X, you'll have to do Y." Yes, the thing is that Y is insecure and there are better options. > I don't really see a 'recommendation' here. Err, really? I'm not sure what else it could be called... To be clear, the referenced site suggests "TLS_REQCERT allow" as a better alternative (allows self-signed certs by skipping CA check, but does CN checking). Fixed in 2.4.40 |