[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: start_tls: connect error
Michael Ströder wrote:
> Howard Chu wrote:
>> Michael Ströder wrote:
>>> Howard Chu wrote:
>>>> Show the output with debugging enabled. Note that "localhost" is treated
>>>> specially, and will be replaced by the local hostname instead of being used
>>>> directly in the name comparison.
>>>
>>> Why that? I strongly dislike automagic things when doing security checks.
>>
>> Probably because "localhost" is useless in an actual cert from a remote
>> server.
>
> Yes. But nothing prevents the client from providing the correct hostname.
Laziness, and the ubiquity of "localhost" in canned configs...
>> This has been a feature of libldap since 2.1, so it's certainly
>> nothing new.
> You can blame me that I did not notice this feature before. Still I think
> that's broken since libldap has to rely on a trustworthy name resolving then
> instead of just comparing the inherently trusted user input against the cert's
> CN attribute. Hmm, didn't we have this discussion before?
I'm sure we have. Replacing "localhost" with the output of gethostname() is
still inherently secure.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/