[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC 2830 TLS server identity checks

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, <openldap-devel@OpenLDAP.org>
Subject: RE: RFC 2830 TLS server identity checks
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sun, 2 Sep 2001 02:31:40 -0700
Importance: Normal
In-reply-to: <5.1.0.14.0.20010829144234.019f7718@127.0.0.1>

I've just checked this in. The code now checks for the subjectAltName before
looking
at the certificate subject's CommonName. It also does wildcard checks on the
altnames.
The RFC doesn't specify, but I don't believe you should ever see a
CommonName with a
wildcard present, so that is left as a straight comparison.

Something that might be desirable as an enhancement, would be to allow a
client to
continue with a connection even if the server name doesn't match. I believe
we would
need to add an error code to describe this case, or perhaps a callback
function for
prompting the user. It might also require a command-line option, perhaps an
ldaprc
keyword as well. Maybe more work than it's worth.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> Sent: Wednesday, August 29, 2001 2:46 PM
> To: openldap-devel@OpenLDAP.org
> Subject: RFC 2830 TLS server identity checks
>
>
> Fully implementing 2830, Section 3.6, Server identity checks
> is another big TODO for 2.1.  OpenSSL API experience useful.
> Any takers?
>

Prev by Date: Re: tls-related ldap_perror misleading in clients
Next by Date: RE: tls-related ldap_perror misleading in clients
Index(es):
- Chronological
- Thread