Re: powerdns check with debian edu.
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, Apr 19, 2009 at 11:08:11PM +0200, Ronny Aasen wrote:
> Jonas Smedegaard wrote:
>> On Sun, Apr 19, 2009 at 09:31:26PM +0200, Ronny Aasen wrote:
>>> Andreas Schockenhoff wrote:
>>>> Unfortunately ldap is broken in cd-lenny-test-dvd because the
>>>> ssl certificate of the ldapserver seams lost.
>>> danielsan told me the reason may be that the ssl directory may not
>>> be accessible to others. something like chmod o+x /etc/ldap/ssl
>>> might help on that.
>> Perhaps it is inaccessible for a good reason, and your proposed
>> change creates a locally exploitable security hole:
>> If the file contains only a public certificate there should be no
>> security issue in making it world readable. But if the file contains
>> the private key then it should *not* be revealed to others.
>> It does not matter for security (only for trust) if the certificate
>> is self-signed or not: SSL in essentially insecure if private key is
>> not kept private!
> that is actaly the directory containing the cert and key. and the key
> is only readably by root.
Ah, ok. Makes sense, then.
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----