[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problems with OpenLDAP

To: LÉVAI Dániel <leva@ecentrum.hu>
Subject: Re: TLS problems with OpenLDAP
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Sat, 1 Nov 2008 14:53:42 -0700
Cc: openldap-software@openldap.org
In-reply-to: <200810312253.13046.leva@ecentrum.hu>
References: <200810312253.13046.leva@ecentrum.hu>
User-agent: Alpine 1.10 (BSO 962 2008-03-14)

On Fri, 31 Oct 2008, LÉVAI Dániel wrote:
> I've recreated my certificate/key pair, beacuse I can't seem get over 
> this issue. I've changed the hostname in the certificate to the ip 
> address of the server. OpenLDAP 2.4.11, Debian testing/lenny system.
...
> TLS: hostname (192.168.1.3) does not match common name in certificate 
> (192.168.1.3).
...
> That last "TLS:" prefixed message bothers me; it tells me that 
> 192.168.1.3 doesn't match with 192.168.1.3?! Why?

Hmm, you mention "Debian testing/lenny".  Does that mean it uses GNUtls?  
Due to differences in APIs, OpenLDAP uses different routines to perform 
the "check hostname against certificate" test depending on whether it's 
built against OpenSSL or GNUtls.  It appears the routine used with GNUtls 
refuses to match IP addresses against a CN subjects component, thus 
explaining that weird message.

(In ldap_pvt_tls_check_hostname(), 'len1' is only non-zero if the hostname 
doesn't look like an IPv6 or IPv4 address, while the subject CN test needs 
'len1' to be the same as the length of the CN value.)

I suggest you file an ITS about that.

Philip Guenther

Follow-Ups:
- Re: TLS problems with OpenLDAP
  - From: LÉVAI Dániel <leva@ecentrum.hu>

References:
- TLS problems with OpenLDAP
  - From: LÉVAI Dániel <leva@ecentrum.hu>

Prev by Date: Re: userPassword
Next by Date: RE: SASL
Index(es):
- Chronological
- Thread