Re: [nssldap] Questions about start_tls
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Questions about start_tls
- From: Andrew Findlay <andrew.findlay [at] skills-1st.co.uk>
- To: maillists0 [at] gmail.com
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] Questions about start_tls
- Date: Wed, 10 Dec 2008 20:23:23 +0000
On Wed, Dec 10, 2008 at 03:16:02PM -0500, maillists0@gmail.com wrote:
> > Remember that it is up
> > to the *client* to request that encryption using TLS. I would suggest
> > always using encryption for NSS and PAM clients.
> >
> >
> I'm confused about this. In /etc/ldap.conf, I have "ssl start_tls". When I
> set debug to 2, I can see that the output of the server is encrypted and
> there are a lot of "tls_read: want/got" messages, with no complaints. The
> only output that isn't encrypted is from the client. I am using a
> self-signed certificate, so I set tls_checkpeer to "no". Is this to be
> expected, or is tls on the client-side silently failing?
I have not tried this, but I suspect that the client-side debug is
showing stuff before is gets encrypted for transmission. It would not
be much use for debugging otherwise!
You can check what is on the wire using wireshark.
As a general point I would suggest always making a long-lived CA
certificate and using that to sign your server certificates. It makes
management of certs much easier when you have many servers and clients.
You can then distribute the CA cert to the clients and use it to
verify server certs - very important if you want real security.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
- Re: [nssldap] Questions about start_tls, (continued)
