[39612] in Kerberos
Re: ldap tls question
daemon@ATHENA.MIT.EDU (=?utf-8?q?Marek_Gre=C5=A1ko_via_Ke)
Sat Apr 18 07:50:08 2026
Date: Sat, 18 Apr 2026 11:49:47 +0000
To: Ken Hornstein <kenneth.hornstein.ctr@nrl.navy.mil>
Cc: kerberos@mit.edu
Message-ID: <Eno3pIyf2Hz79w4N5qtWnWTdZJ6DKPqM6SWm6ZruKxzyimwKiEzdI34H0gWM335hhfDM45xa0zuGdw4hQGb15a6i7_d3dCIai8b28-mVbPY=@protonmail.com>
In-Reply-To: <202604171649.63HGn0sI019894@hedwig.cmf.nrl.navy.mil>
MIME-Version: 1.0
From: =?utf-8?q?Marek_Gre=C5=A1ko_via_Kerberos?= <kerberos@mit.edu>
Reply-To: =?utf-8?Q?Marek_Gre=C5=A1ko?= <marek.gresko@protonmail.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello Ken,
thanks for detailed analysis.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
piatok 17. apríla 2026, 18:49, Ken Hornstein <kenneth.hornstein.ctr@nrl.navy.mil> napísal/a:
> >this seems usable. So I suppose when I set ldaps instead of
> >ldap, kerberos should stop working until I set LDAPTLS_CACERT in
> >/etc/sysconfig/krb5kdc right? (I am using Fedora 43.)
>
> I believe that is correct, yes, assuming it can't verify the certificate
> using the OS certificate store.
>
> >The start_tls is not possible with MIT kerberos, right?
>
> Assuming you're using the OpenLDAP libraries, my reading of the
> code is that if ldap_new_connection() sees that the server supports
> start_tls then it will automatically attempt it. _However_ ... it
> will not require that start_tls succeeds like the "-ZZ" option to
> the command-line utilities. So you would be vulnerable to an active
> downgrade attack by a rogue server. So I believe the answer is, "It
> will probably work, but you shouldn't use it in this case". There does
> not seem to be a client-side configuration setting that would enforce
> the use of start_tls, which is kind of unfortunate. You can do that
> on the _server_, but again doesn't help you with a rogue server and an
> active downgrade attack.
>
> --Ken
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
