[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP Need to be compliant with RFC 2830 (with regards to Server Identity Check) (ITS#1490)



This has been fixed since September 2, release 2.0.13. The current release
is 2.0.18. You should update your distribution.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> kyle.johnson@duke.edu
> Sent: Tuesday, December 11, 2001 6:49 PM
> To: openldap-its@OpenLDAP.org
> Subject: OpenLDAP Need to be compliant with RFC 2830 (with regards to
> Server Identity Check) (ITS#1490)
>
>
> Full_Name: Kyle Johnson
> Version: 2.0.11
> OS: RedHat Linux 7.1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (24.25.10.149)
>
>
> We have an enterprise LDAP directory to which connections will
> only be allowed
> via a secure connection (i.e. SSL).  The server has a signed
> certificate from
> Verisgn, but we are unable to establish a secure connection.  It
> appears that
> OpenLDAP is expecting (demanding really) that the CNAME in the
> DNS match the
> certificate.  However, that is in direct violation of RFC 2830,
> which states:
>
> ---
> 3.6.  Server Identity Check
>
>    The client MUST check its understanding of the server's hostname
>    against the server's identity as presented in the server's
>    Certificate message, in order to prevent man-in-the-middle attacks.
>
>    Matching is performed according to these rules:
>
>    - The client MUST use the server hostname it used to open the LDAP
>      connection as the value to compare against the server name as
>      expressed in the server's certificate.  The client MUST NOT use the
>      server's canonical DNS name or any other derived form of name.
>
>    - If a subjectAltName extension of type dNSName is present in the
>      certificate, it SHOULD be used as the source of the server's
>      identity.
>
>    - Matching is case-insensitive.
>
>    - The "*" wildcard character is allowed.  If present, it applies only
>      to the left-most name component.
> ---
> Note the first rule.  That is where the problem is.
>