You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Graylog should verify the LDAP server certificate chain up to a trusted root, and refuse the connection when the certificate chain cannot be verified.
Current Behavior
Graylog accepts LDAP server certificates whose root certificate is not in any trust store. This presents a vulnerability for man-in-the-middle attacks.
Possible Solution
Steps to Reproduce (for bugs)
Navigate to the LDAP / Active Directory configuration page.
Enable LDAP, choose server type 'LDAP' and enter the address of a STARTTLS-enabled LDAP server, whose TLS certificate should not be verifiable by the server. Uncheck 'SSL' and 'Allow self-signed certificates'. Check 'StartTLS'.
Provide a bind DN and password in the 'System Username' and 'System Password' fields.
Click the 'Test Server Connection' button.
Context
We run Graylog in a Docker container, using the official Docker image. Our LDAP server is on a different network. We would be better protected against man-in-the-middle attacks if Graylog verifies the LDAP server certificate.
I just upgraded our Graylog installation to 3.3.3 and tried to reproduce this issue. Looks like Graylog now properly validates the LDAP TLS chain. Good to see that this was included in a patch release although it is a breaking change, security is important :)
Expected Behavior
Graylog should verify the LDAP server certificate chain up to a trusted root, and refuse the connection when the certificate chain cannot be verified.
Current Behavior
Graylog accepts LDAP server certificates whose root certificate is not in any trust store. This presents a vulnerability for man-in-the-middle attacks.
Possible Solution
Steps to Reproduce (for bugs)
Context
We run Graylog in a Docker container, using the official Docker image. Our LDAP server is on a different network. We would be better protected against man-in-the-middle attacks if Graylog verifies the LDAP server certificate.
Your Environment
The text was updated successfully, but these errors were encountered: