[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: start_tls: connect error
Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Show the output with debugging enabled. Note that "localhost" is treated
>>> specially, and will be replaced by the local hostname instead of being used
>>> directly in the name comparison.
>>
>> Why that? I strongly dislike automagic things when doing security checks.
>
> Probably because "localhost" is useless in an actual cert from a remote
> server.
Yes. But nothing prevents the client from providing the correct hostname.
> This has been a feature of libldap since 2.1, so it's certainly
> nothing new.
You can blame me that I did not notice this feature before. Still I think
that's broken since libldap has to rely on a trustworthy name resolving then
instead of just comparing the inherently trusted user input against the cert's
CN attribute. Hmm, didn't we have this discussion before?
Ciao, Michael.