hiera-ldap icon indicating copy to clipboard operation
hiera-ldap copied to clipboard

Published 20 hours ago verified publisher icon hunner

Overrides certificate validation without large warning

Open waldiTM opened this issue 9 years ago • 2 comments

hiera-ldap monkey-patches Net::LDAP to disable SSL certificate validation for every connection made, even if done by other code in the same instance. This allows MitM attacks on every connection made. This problem is categorized as CWE-295.

waldiTM avatar May 06 '15 18:05 waldiTM

As I recall we had to do this because puppet itself was monkey patching Net::LDAP so we had to 'unmonkey' patch it. I also think there was something mumble mumble ruby versions. @petems you want to try using the plugin without the ssl patching and see how it goes today? or @nightfly19 ? I no longer use this software so I'm not the best candidate for driving its development.

nibalizer avatar May 10 '15 17:05 nibalizer

I'll have a quick go, I'm not able to access a real LDAP instance easily (was at customer site at the time) but I think I should be able to test this with ladle.

petems avatar May 15 '15 17:05 petems