Security Advisory 20120227

Chad La Joie lajoie at itumi.biz
Mon Feb 27 22:09:17 GMT 2012 

Correct, there was no hostname checking before (which is very bad).

In your case, either the LDAP servers or the load balance is
misconfigured.  The load balancer can be configured to hide the fact
that there are N number of servers by intercepting traffic and
proxying it.  In which case all the LDAP servers needs to report their
hostname and a cert as what the load balancer is calling the cluster.
Alternatively, the load balancer can simply route traffic to the
server and get out of the way.  In which case the LDAP servers would
each have their own hostname and the cert given by the LDAP server
would need to match that hostname.


On Mon, Feb 27, 2012 at 17:01, Juan Quintanilla <jquin014 at fiu.edu> wrote:
> Oh okay, now in the previous version it was not checking for this?  It looks like the ldap is being load balanced since the host name they provided me was fiuldap1.fiu.edu and that must be one of the servers that is behind the load balance.  I will need to get the correct cert.
>
> Thanks!
>
> ___________________
> Juan Quintanilla
> UTS - Enterprise Group
> 305-348-6573
> jquin014 at fiu.edu
> ________________________________________
> From: users-bounces at shibboleth.net [users-bounces at shibboleth.net] on behalf of Cantor, Scott [cantor.2 at osu.edu]
> Sent: Monday, February 27, 2012 4:37 PM
> To: Shib Users
> Subject: RE: Security Advisory 20120227
>
>> There is no load balancer performing the SSL-offloading on the shibboleth
>> server  Below is the cert.
>
> Nope...
>
>> Also found some extra information when I turned on Debug for ldap:
>> 16:25:56.858 - DEBUG
>> [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:123] -   hostname =
>> fiuldap1.fiu.edu
>> 16:25:56.859 - DEBUG
>> [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:124] -   cert =
>> CN=rhldapc03.fiu.edu, OU=Division of Information Technology, O=Florida
>> International University, L=Miami, ST=Alabama, C=US
>
> That is the cert. No wildcard.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net



-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered

More information about the users mailing list