Project

General

Profile

Actions

Bug #1052

closed

Certificate validation of the LDAPS servers is not enforced

Added by Florent Daigniere over 13 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
-
Start date:
11/29/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

Hi,

Looking around in the source code, it seems that the certificate validation for LDAPS servers is not enforced.

LDAPTLS_REQCERT=never

is set in many places in the source code. The only secure configuration is :

LDAPTLS_REQCERT=hard

were the ssl connection is broken if the certificate verification fails, ensuring that the credentials are not leaked to a third party in case of active MitM attack.

Please fix it.


Files

pfsense-fix-bug1052.diff (1.37 KB) pfsense-fix-bug1052.diff Florent Daigniere, 11/13/2011 08:32 AM
pfsense-fix-bug1052_v2.diff (1.26 KB) pfsense-fix-bug1052_v2.diff Florent Daigniere, 11/13/2011 09:15 AM
Actions

Also available in: Atom PDF