Security concerns: server authentication

[giner]

Hello,

Is there any reason why "verify_server_cert" is disabled in default configuration?

Best regards,
Stanislav

[ueluekmen]

Hi stanislav,

that's because the verify_server_cert option is not a full security feature. If you set this option, your clients will save the public key of the server ssl-cert on a initial connect. After that, the client will be decline connections, if your server-ssl-cert will be changed or expires. In the default option, opsi uses self signed certificates. This option will confuse the most of opsi Users, because most people don't think about this kind of features. If we set this as default, many Users will post here, because the chance to crash the function of opsi is higher, than the security benefit you will get with this feature. But you have minimal security advantage and you should use this option, if you work over DMZ. But if you do that, than we will recommend to buy a CA signed certificate from us, to prevent men in the middle attacks and secure your clients from bad opsi servers in the world.

[giner]

Hi stanislav,

that's because the verify_server_cert option is not a full security feature. If you set this option, your clients will save the public key of the server ssl-cert on a initial connect. After that, the client will be decline connections, if your server-ssl-cert will be changed or expires. In the default option, opsi uses self signed certificates. This option will confuse the most of opsi Users, because most people don't think about this kind of features. If we set this as default, many Users will post here, because the chance to crash the function of opsi is higher, than the security benefit you will get with this feature. But you have minimal security advantage and you should use this option, if you work over DMZ. But if you do that, than we will recommend to buy a CA signed certificate from us, to prevent men in the middle attacks and secure your clients from bad opsi servers in the world.

Hello,

I would agree that it does not have big security advantage if your PCs never leave your network. However it does when half of your computers are laptops which are out of office most of the time.

I understand why you do not enable this by default. If you do then some people will get issues with expiring of the certificate or other related issues. May be this could be made configurable during deb-packages installation with all the warnings? Something like: "Choose yes (default) if you know what you are doing and choose no otherwise".

Best regards,
Stanislav

[ueluekmen]

Hi Stanislav,

May be this could be made configurable during deb-packages installation with all the warnings? Something like: "Choose yes (default) if you know what you are doing and choose no otherwise".

Sorry, but this is not possible. In deb-Packages this is no problem. We have this in opsi-depotserver package. This package will ask by Installation if the dhcp, samba and sudoers should be patched by installation. But this feature is not available on rpm-Packages.