sandeep kiran p wrote: > Ours is an LDAP client application that fetches LDAP server names on the fly > using DNS SRV Resource Records. We then randomly pick one the servers > returned from DNS, establish an SSL/TLS connection with that server and then > perform a bind operation using user credentials (DN and password). User > credentials are protected since everything goes encrypted between the client > and server. > > Recently we discovered that such a mechanism could be vulnerable to a DNS > spoofing attack where an attacker could modify (or drop) the server list > returned by the DNS and inject his/her own malicious directory server name. > Client would then blindly establish an SSL/TLS connection with that server > and would end up handing over the user credentials to it.
If that's possible you either do the host name verification in the wrong way or your CA is not trustworthy. An RFC that describes how the verification has to be done is in the works currently: http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09 Basically if you have a DNS SRV record _ldap.tcp.bar.com that points to ldap.foo.com the certificate for ldap.foo.com needs to have an entry that make it valid for _ldap.tcp.bar.com. You must not use the result of the DNS lookup (ldap.foo.com) for the host name verification. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
