On Wednesday 07 May 2003 17.17, Nicholas Ritter wrote:
> SSL connection to a NetWare based LDAP server is not possible
> without sharing the netware tree root CA certificate and/or the
> LDAP cert. I think it is just the root CA cert, but this may depend
> on the client. iPlanet authentication against netware LDAP is the
> same issue. I think the reason is that the cert can't be verified
> with the public key of the signing authority for the cert.
The client has to trust the Netware server certificate if you enable
server certificate validation yes. If you do not enable server
certificate validation in the client no such trust needs to be
established, but in such case the setup is vulnerable to a
man-in-the-middle attack if your internal network is compromised.
Now, the proxy service as such is already vulnerable to these issues,
so protecting the proxy->LDAP server from man-in-the-middle attacks
only adds marginally to security in a normal proxy setup (a https
server accelerator setup would be a different story).
If your server is using a private certificate not issues by one of the
standard CAs then this trust has to be established manually. There is
many ways to establish a SSL trust in a SSL client. Either you can
get the CA certificate who issued the certificate used by the server
(not key) and add this as a trusted CA in the client, or you can add
only the specific server certificate as trusted (this is for example
what you do for your browser when you click "accept this certificate
for..." in your browser when visiting a https site using a private
certificate).
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, info@marasystems.comReceived on Wed May 07 2003 - 15:16:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:21 MST