[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS with a host alias

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: StartTLS with a host alias
From: Howard Chu <hyc@symas.com>
Date: Sat, 07 Jun 2008 13:19:26 -0700
Cc: robertminsk@yahoo.com, openldap-software@openldap.org
In-reply-to: <hbf.20080607s32c@bombur.uio.no>
References: <516293.97051.qm@web32503.mail.mud.yahoo.com> <hbf.20080607pwxf@bombur.uio.no> <484AE958.9040406@symas.com> <hbf.20080607s32c@bombur.uio.no>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9pre) Gecko/2008043023 SeaMonkey/2.0a1pre

Hallvard B Furuseth wrote:

Howard Chu writes:

Well, there can be any number of CNs in a DN. But only the
most-inferior RDN actually names the certificate, therefore that's the
only one that may be used in hostname checking.


Then something (OpenSSL?) is broken.  The hostname which succeeded is in
the topmost of his RDNs which has a CN, not in the most inferior RDN.

Hm, good point. The OpenSSL function used in libldap/tls.c doesn't have an argument to specify which CN to return. That code may need to be rewritten.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- StartTLS with a host alias
  - From: Robert Minsk <robertminsk@yahoo.com>
- Re: StartTLS with a host alias
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: StartTLS with a host alias
  - From: Howard Chu <hyc@symas.com>
- Re: StartTLS with a host alias
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: StartTLS with a host alias
Next by Date: Re: can syncrepl do this?
Index(es):
- Chronological
- Thread