[CVE-2020-16093] Peer certificate not checked when using LDAPS
Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 10
Summary
- Configure a
ldaps://
URL asldapServer
- Setup a self signed certificate on the LDAP server
- It works
- (It should not work.)
Possible fixes
Net::LDAP is insecure by default, at least on Debian Buster. We should explicitely pass verify => require
when initializing it.
Fixing this is probably going to break a lot of installs. We need to create a new option for this and add a warning to release notes.