Re: Hostname does not match common name problem

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Saturday, March 14, 2009 12:21 PM +0100 Michael StrÃder 
<michael@stroeder.com> wrote:

> Sascha wrote:
> > I have a problem with an LDAP server that I need to connect to. I
> > have the required certificate stored on the client but I am getting
> > the following error message:
> >
> > "TLS: hostname (A.xyz123.com) does not match common name in
> > certificate (*.xyz123.com)"
>
> Personally I'm scared of accepting wildcard certs for security reasons.
>
> > As far as I understand it, RFC4514 section 3.1.3 allows wildcards
> > thus the connection should work, shouldn't it?
>
> It's RFC 4513, section 3.1.3. And there it says:
>
>    The server's identity may also be verified by comparing the reference
>    identity to the Common Name (CN) [RFC4519] value in the leaf Relative
>    Distinguished Name (RDN) of the subjectName field of the server's
>    certificate.  This comparison is performed using the rules for
>    comparison of DNS names in Section 3.1.3.1, below, with the exception
>    that no wildcard matching is allowed.
>
> So wildcard DNS names in CN is explicitly not allowed. You can try with
> wildcard patterns in the subjectAltName cert extension.

Except that most cert vendors put the wildcard in CN and not 
subjectAltName.  I note everything I ever tested with a wildcart cert 
accepted this *except* OpenLDAP.  So I submitted an ITS somewhere back in 
OpenLDAP 2.2 land to allow this, and it has been in place ever since, and 
works to this day AFAIK.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration