Full_Name: Silvio Wanka Version: openldap-client-2.4.44 OS: FreeBSD 10.3-RELEASE-p16 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (62.138.118.158) Hi, if I use "ldap:///dc%3Dexample%2Cdc%3Dorg" on a test system all works properly but I must use LDAPS on a DMZ system and so I try "ldaps:///dc%3Dexample%2Cdc%3Dorg" but this search for a ldap DNS SRV record which of course returns the normal ldap port not the ldaps port. This can't work, because a firewall is between. Is this normal (by design) or an bug? There is also an old discussion on your site: http://www.openldap.org/lists/openldap-technical/201203/msg00027.html. IMO should OpenSSL either support DNS SRV lookup for each scheme or for none. TIA, Silvio
moved from Incoming to Software Bugs
This issue seem to be still present in master.
Also present on Debian version ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.50+dfsg-1
And still there is no standard which defines a decent TLS domain name check for SRV RRs with well-defined subjectAltName values to prevent MITM attacks. See also: https://tools.ietf.org/html/rfc6125#section-3