[39611] in Kerberos
Re: ldap tls question
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Fri Apr 17 17:45:54 2026
Message-Id: <202604171649.63HGn0sI019894@hedwig.cmf.nrl.navy.mil>
To: =?utf-8?Q?Marek_Gre=C5=A1ko?= <marek.gresko@protonmail.com>
cc: kerberos@mit.edu
In-Reply-To: <D61lD9LkWTQEBLAJXk-qkrqiSi_mHOIXexnesv33xWeQx_5065aJGJvdpe3iLsbXeI_N66sH4txPj5WLCEaJPJMksoFAVsJiyybYfDxE5y4=@protonmail.com>
MIME-Version: 1.0
Date: Fri, 17 Apr 2026 12:48:59 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenneth.hornstein.ctr@nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>this seems usable. So I suppose when I set ldaps instead of
>ldap, kerberos should stop working until I set LDAPTLS_CACERT in
>/etc/sysconfig/krb5kdc right? (I am using Fedora 43.)
I believe that is correct, yes, assuming it can't verify the certificate
using the OS certificate store.
>The start_tls is not possible with MIT kerberos, right?
Assuming you're using the OpenLDAP libraries, my reading of the
code is that if ldap_new_connection() sees that the server supports
start_tls then it will automatically attempt it. _However_ ... it
will not require that start_tls succeeds like the "-ZZ" option to
the command-line utilities. So you would be vulnerable to an active
downgrade attack by a rogue server. So I believe the answer is, "It
will probably work, but you shouldn't use it in this case". There does
not seem to be a client-side configuration setting that would enforce
the use of start_tls, which is kind of unfortunate. You can do that
on the _server_, but again doesn't help you with a rogue server and an
active downgrade attack.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
