De nada: my pleasure. Just to make sure that the issue is clear though, it's worth spelling it out.
The core of the issue is that in it's present form (and going back multiple distributions) the default configuration for connections using SSL via STARTTLS (which is the norm) does not check the validity of the server certificate at all. This means that the connection can simply be MITMed, then the contents accessed (sensitive authentication credentials etc). From my perspective, this kind of issue is actually worse than having no SSL at all, because no-one would use an unencrypted connection anywhere exposed, whereas people will now be deploying connections thinking the SSL is offering some form of protection, where as they are not. It's a false sense of security. Obviously all the packages that have this library as a dependency are insecure and vulnerable to interception too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835181 Title: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and ldap:// with STARTTLS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1835181/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
