Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 520234

Summary: net-nds/openldap-2.4.38-r2: Sub-optimal default recommended for self-signed certificate case
Product: Gentoo Linux Reporter: Walter <walter>
Component: [OLD] ServerAssignee: Gentoo LDAP project <ldap-bugs>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: screenshot of insecure advice

Description Walter 2014-08-19 07:29:18 UTC 
Created attachment 383104 [details]
screenshot of insecure advice

I could be missing something here, but I fear not.

When installing openldap it recommends adding 'TLS_REQCERT never' if you want to use self-signed certificates.

As far as I can see, this is a very insecure option to enable and definitely *not* something that should be recommended.

What this actually does is completely avoid BOTH of the following checks:

(1) Certificate Authority (CA) based validation of the self-signed certificate.
(2) Completely disables CN checking against the remote server.

Together, this facilitates man in the middle attacks as well as accidents like simply connecting to the wrong host. (For some discussion of this 'feature', see http://www.openldap.org/lists/openldap-software/200903/msg00148.html )

I would hazard a guess that the 'right way' to set up self-signed certificates is to properly install the CA from which the self-signed certificate was issued, so that they pass validation. This way you get CN=hostname validation and use of your validated self-signed certificate (ie. nominally secure X.509 infrastructure) without having to pay random third parties money. It could even be argued that this is more secure than the default of trusting outside signatures.

This approach is probably best if you control the other end of the connection as well (and a lot of internal infrastructure to many organizations is probably like this).

PS. Tried to visit http://www.gentoo.org/security/en/#doc_chap3 but got "The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."... erp!
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2014-08-19 07:49:38 UTC 
(In reply to Walter from comment #0)
> As far as I can see, this is a very insecure option to enable and definitely
> *not* something that should be recommended.

It's a general notice: "If you want X, you'll have to do Y." I don't really see a 'recommendation' here.

At any rate, no vulnerability that security@ deals with. Assigning to maintainers if they want to adjust the wording.

> […]
> 
> PS. Tried to visit http://www.gentoo.org/security/en/#doc_chap3 but got "The
> server is temporarily unable to service your request due to maintenance
> downtime or capacity problems. Please try again later."... erp!

PS. One issue per bug, please.
Comment 2 Walter 2014-08-19 07:59:16 UTC 
> It's a general notice: "If you want X, you'll have to do Y."

Yes, the thing is that Y is insecure and there are better options.

> I don't really see a 'recommendation' here.

Err, really? I'm not sure what else it could be called...
Comment 3 Walter 2014-08-19 08:03:04 UTC 
To be clear, the referenced site suggests "TLS_REQCERT allow" as a better alternative (allows self-signed certs by skipping CA check, but does CN checking).
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-10-12 06:28:18 UTC 
Fixed in 2.4.40