[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: powerdns check with debian edu.

Hash: SHA1

On Sun, Apr 19, 2009 at 11:08:11PM +0200, Ronny Aasen wrote:
> Jonas Smedegaard wrote:
>> On Sun, Apr 19, 2009 at 09:31:26PM +0200, Ronny Aasen wrote:
>>> Andreas Schockenhoff wrote:

>>>> Unfortunately ldap is broken in cd-lenny-test-dvd because the
>>>> ssl certificate of the ldapserver seams lost.          
>>> danielsan told me the reason may be that the ssl directory may not 
>>> be accessible to others. something like chmod o+x /etc/ldap/ssl 
>>> might help on that.
>> Perhaps it is inaccessible for a good reason, and your proposed 
>> change creates a locally exploitable security hole:
>> If the file contains only a public certificate there should be no 
>> security issue in making it world readable.  But if the file contains 
>> the private key then it should *not* be revealed to others.
>> It does not matter for security (only for trust) if the certificate 
>> is self-signed or not: SSL in essentially insecure if private key is 
>> not kept private!
> that is actaly the directory containing the cert and key. and the key 
> is only readably by root.

Ah, ok.  Makes sense, then.

  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
Version: GnuPG v1.4.9 (GNU/Linux)


Reply to: