[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch do not work with NLDAP over SSL

To: <spangla@nationwide.com>
Subject: Re: ldapsearch do not work with NLDAP over SSL
From: Petr Olivka <petr.olivka@vsb.cz>
Date: Tue, 4 Mar 2003 10:52:01 +0100 (CET)
Cc: <petr.olivka@vsb.cz>, <openldap-bugs@OpenLDAP.org>, <owner-openldap-bugs@OpenLDAP.org>
In-reply-to: <OFD944207D.26D7BC31-ON85256CDE.00619E57@ent.nwie.net>

thanks very much,

  I did check now, that 2.1.13 and 2.1.14 from last week contains this
patch.

  poli

On Mon, 3 Mar 2003 spangla@nationwide.com wrote:

>
> Poli,
>
>
> In the past, I had written my own patch to work around this problem.
>
> If I remember correctly, Howard put a change into the CVS HEAD recently on
> this.  I think the bug number was ITS 2161.
>
>  You might want to just apply the same change yourself before building the
> code.
>
> Go to the CVSWeb link on the www.openldap.org site.  Look under
> libraries/libldap/tls.c file.  I cannot remember the exact change.
> (I can't get to the web site right now).
>
>
>
>
>                           Petr Olivka
>                           <petr.olivka@vsb.cz>     To:   <spangla@nationwide.com>
>                                                    cc:   <petr.olivka@vsb.cz>, <openldap-bugs@OpenLDAP.org>,
>                                                    <owner-openldap-bugs@OpenLDAP.org>
>                                                    bcc:
>                                                    Subject:                                          Re: ldapsearch do not work with
>                           03/03/03 10:43 AM        NLDAP over SSL
>
>
>
>
>
>
> Yes, I see this in source. And what idea is in configuration file, for
> "get server certificate" "never"? I did think, that when I never get
> certificate from server, I will not check server name.
> I think, that the server name check is bug, or I badly understand the
> config file usage, probably.
>
> poli
>
>
>
> >
> > OpenLDAP + OpenSSL requires the 'cn=' in the certificate to match exactly
> > with the hostname you specify in your ldap_initialize().
> > If it is a DNS name, it must match perfectly.  If it is an dotted IP
> > address, it must match perfectly.  Its a security feature.
> >
> > By default 'stunnel' does not do the same check.
> >
> >  -Aaron
> >
> >
> >
> >
> >
> >                           Petr Olivka
> >                           <petr.olivka@vsb.cz>     To:
> <openldap-bugs@OpenLDAP.org>
> >                                                    cc:
> >                           Sent by:                 bcc:
> >                           owner-openldap-bugs@Ope  Subject:
> ldapsearch do not work with NLDAP
> >                           nLDAP.org                over SSL
> >
> >
> >
> >                           02/03/03 08:32 AM
> >
> >
> >
> >
> >
> >
> > Hi !
> >
> >   I have problem with ldaputilities to connect NLDAP server over SSL.
> >
> >   When function "tls_get_cert" call "ssl3_send_alert", then server close
> >   connection (all finished when client send last 29 bytes to server with
> >   function "write"). I do not know if allert is too serious, or any other
> >   problem, but over stunnel all work fine.
> >
> >   ssl 0.9.6 and 0.9.7
> >   openldap 2.1.12
> >
> >   Petr Olivka
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>
>
>
>
>
>

References:
- Re: ldapsearch do not work with NLDAP over SSL
  - From: spangla@nationwide.com

Prev by Date: RE: slapd segmentation fault on startup no core (ITS#2345)
Next by Date: compile under SUN compiler problems (ITS#2346)
Index(es):
- Chronological
- Thread