trevormark

Q: LDAP to DoD Server?

Get this, I just completed a fresh install of Mavericks on a Mac Pro - 4,1.

No more than to hours have gone by, I'm watching the traffic logs on my network firewall and what do I see?

The fresh install attempts multiple LDAP (tcp/389) connections to a couple DoD servers.

Specifically:

Screen Shot 2015-12-07 at 10.02.05 PM.jpg

I did a WHOIS on 156.112.110.122 and 156.112.102.122

They both resolve to: crl.gds.disa.mil

Screen Shot 2015-12-07 at 11.17.52 PM.png

...Now, 'DISA' stands for Defense Information Systems Agency. DISA is a cousin of the NSA - National Security Agency


I then traversed to https://crl.gds.disa.mil and was presented with:

Screen Shot 2015-12-07 at 10.14.17 PM.png

As you can see, this server is FOUO (For Official Use Only). Why the heck is my fresh install Mavericks machine trying to talk to this guy? Anybody?


~Forever Paranoid

Mac Pro, OS X Mavericks (10.9.5)

Posted on Dec 7, 2015 9:33 PM

Close

Q: LDAP to DoD Server?

  • All replies
  • Helpful answers

  • by trevormark,Solvedanswer

    trevormark trevormark Dec 7, 2015 10:05 PM in response to trevormark
    Level 1 (0 points)
    Dec 7, 2015 10:05 PM in response to trevormark

    Apparently this is standard operating procedure for automated CRL checking. i.e. If a CRL distribution point is defined in the certificate, the CRL is automatically retrieved from that address.

     

    In my keychain exists a DOD EMAIL CA-25 Certificate and within it is:

    Screen Shot 2015-12-08 at 12.00.41 AM.png

    This would explain the fresh install contacting a DoD server via LDAP.