[CVE-2020-16093] Peer certificate not checked when using LDAPS
LemonLDAP::NG version: 2.0.8
Operating system: Debian 10
- Configure a
- Setup a self signed certificate on the LDAP server
- It works
- (It should not work.)
Net::LDAP is insecure by default, at least on Debian Buster. We should explicitely pass
verify => require when initializing it.
Fixing this is probably going to break a lot of installs. We need to create a new option for this and add a warning to release notes.