Accept Cert even if invalid?
Andrew Petro
apetro at unicon.net
Fri Jun 6 23:30:37 EDT 2008
I'm probably not understanding the question, but I'll bite anyway:
> even if the certificate is invalid
It is seldom appropriate to configure *anything* to accept an invalid
SSL certificate. To do so is probably to obviate all the security
advantages of using SSL. Doing SSL properly institutes some real,
industry-standard guarantees about the authenticity of the endpoint and
the non-interceptability of the communications with that endpoint (or
about the classes of exploit necessary to overcome this, e.g. laying
hands on the private SSL key of the server). Doing SSL improperly
merely inconveniences the adversary in ways that add no principled security.
So my gut reaction is, no, there's no reason to tell CAS to connect to
an ldaps where the certificate is invalid, and there is no reason to use
an SSL certificate that is invalid from the perspective of the intended
consumers of the service it authenticates.
Care to clarify the question?
Best wishes,
Andrew
Martin Lamprechter wrote:
> Hi!
>
> Is there any reason to tell cas that it should connect to a secret
> ldaps, even if the certificate is invalid?
>
> Greetings
> Martin
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
More information about the cas
mailing list