[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5938) tls.c does not conform to RFC 4513

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5938) tls.c does not conform to RFC 4513
From: hyc@symas.com
Date: Wed, 11 Feb 2009 00:01:15 GMT

nick.hudson@isode.com wrote:
> Full_Name: nick hudson
> Version: 2.3.38
> OS: linux
> URL:
> Submission from: (NULL) (62.3.217.250)
>
>
> I am looking at the code in tls.c, function ldap_pvt_tls_check_hostname
> (although the code has been refactored in recent versions, into e.g. tls_o.c,
> but the same is true of the new code)
>
> I think the code is doing something that RFC 4513 says that it should not do.
> Specifically, ref RFC 4513 section 3.1.3 says:
>
>     The server's identity may also be verified by comparing the reference
>     identity to the Common Name (CN) [RFC4519] value in the leaf Relative
>     Distinguished Name (RDN) of the subjectName field of the server's
>     certificate.  This comparison is performed using the rules for
>     comparison of DNS names in Section 3.1.3.1, below, with the exception
>     that no wildcard matching is allowed.
>
> In tls.c (and the refactored code), you can see it's first attempting an exact
> comparison on subjectAltName, and if that fails it tries a wildcard match (which
> is ok, as per section 3.1.3.1)
>
> But if no subjectAltName match is found, there's another section which looks at
> the certificate's subjectname, in which it also does a wildcard match, although
> the RFC says this shouldn't be done.

I recall having a long argument against adding this, but we went with it in 
the end. The original patch was in ITS#3134.

Some of the discussion surfaced here
http://www.openldap.org/lists/openldap-software/200404/msg00434.html

It carried on here
http://www.openldap.org/lists/openldap-devel/200405/msg00002.html

I'll also note ITS#5789, we allow matching an IP address against the CN too, 
and according to the spec that's only allowed for subjectAltName. But 
obviously there are lots of people out there misusing X.509, and we're tired 
of telling them to go do it right. It's a losing battle, we just get blamed 
for being broken...

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: RE: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
Next by Date: Re: (ITS#5756) 2.4 slapo-pcache only caches first lookup for certain templates
Index(es):
- Chronological
- Thread