{resolved}Re: TLS authentication for ldap

Mon, 23 Sep 2013 11:17:37 -0700 


From:   Viktor Dukhovni <openssl-us...@dukhovni.org>
To:     "openssl-users@openssl.org" <openssl-users@openssl.org>
Date:   09/23/2013 10:40 AM
Subject:        Re: TLS authentication for ldap
Sent by:        owner-openssl-us...@openssl.org



On Mon, Sep 23, 2013 at 11:27:06AM -0400, Salz, Rich wrote:

> > Note, the above is for enforcing STARTTLS on the server.  If the
> > decision is left to the client, the configuration is less opaque.
>
> And less secure.  :)
>
> If policy is to use SSL/TLS, then the server must enforce it;
> trusting the clients to do the right thing is bad.

Assuming the policy is a server policy.

In general those enforcing TLS security on the server side live in
a state of sin, since while the client may go through the motions
of doing TLS, nobody can force it to verify the server certificate.
To address active attacks, TLS security requires a cooperative
client.

If the server is trying to protect login credentials against passive
intercept, it can restrict access to TLS clients only, but without
a zero-knowledge password mechanism that supports channel binding,
the server is still at the mercy of the client's willingness to do
*authenticated* TLS.

--
                 Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

The old self-signed certificates had ben renamed by adding .orig to the
file name.  I deleted those files and the proper certificate is now being
presented.

Thank you,
Eric
--
This message has been scanned for viruses and dangerous content,
and is believed to be clean.
  Message id: EE4C6600A53.A30D6




This communication and any attachments are confidential, protected by 
Communications Privacy Act 18 USCS § 2510, solely for the use of the intended 
recipient, and may contain legally privileged material. If you are not the 
intended recipient, please return or destroy it immediately. Thank you.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to