Full_Name: Aaron Spangler Version: 2.1.4 & 2.0.25 OS: Solaris 8 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (155.188.255.8) Description: cannot turn off tls_check_hostname I am using openldap + openssl(0.9.6g) to connect to an LDAP server. The server certificate subject is cn=servername.domain.domain ldap_initialize(&ldp,"ldaps://servername.domain.domain") works great. The problem is that we cannot rely on name resolution in our environment. I want to instead connect via the IP address to make things more stable. ldap_initialize(&ldp,"ldaps://10.2.3.4") fails with 'TLS: hostname does not match common name in certificate' I tried using ldap_set_option for LDAP_OPT_X_TLS_REQUIRE_CERT=0 which maps to the underlying ssl functions SSL_CTX_set_verify(...,SSL_VERIFY_NONE,...) But it appears to not make a difference. On further investigation of <openldap>/libraries/libldap/tls.c it looks as if ALWAYS called by ldap_int_tls_start() and there appears to be no way to turn it off. [I checked openldap 2.1.4 & 2.0.25] Any suggestions short of hard coding a return (LDAP_SUCCESS) inside of ldap_pvt_tls_check_hostname()? Thanks for your help in advance. -Aaron Spangler
One suggestion: add subjectAltName=DNS:10.2.3.4 to your server cert. -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support > -----Original Message----- > From: owner-openldap-bugs@OpenLDAP.org > [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of > spangla@nationwide.com > Sent: Wednesday, October 30, 2002 8:45 AM > To: openldap-its@OpenLDAP.org > Subject: tls_check_hostname (ITS#2161) > > > Full_Name: Aaron Spangler > Version: 2.1.4 & 2.0.25 > OS: Solaris 8 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (155.188.255.8) > > > Description: cannot turn off tls_check_hostname > > I am using openldap + openssl(0.9.6g) to connect to an LDAP server. > The server certificate subject is cn=servername.domain.domain > > ldap_initialize(&ldp,"ldaps://servername.domain.domain") works great. > > The problem is that we cannot rely on name resolution in our > environment. I > want to instead connect via the IP address to make things more stable. > > ldap_initialize(&ldp,"ldaps://10.2.3.4") fails with 'TLS: > hostname does not > match common name in certificate' > > I tried using ldap_set_option for > LDAP_OPT_X_TLS_REQUIRE_CERT=0 which maps to > the underlying ssl functions > SSL_CTX_set_verify(...,SSL_VERIFY_NONE,...) But it > appears to not make a difference. > > On further investigation of > <openldap>/libraries/libldap/tls.c it looks as if > ALWAYS called by ldap_int_tls_start() and there appears to be > no way to turn it > off. [I checked openldap 2.1.4 & 2.0.25] > > Any suggestions short of hard coding a return (LDAP_SUCCESS) inside of > ldap_pvt_tls_check_hostname()? > > Thanks for your help in advance. > > -Aaron Spangler > >
I added this one line and it works for me. I am assuming tls_opt_require_cert is the right variable. Maybe even move the new statement up by two lines. I'll leave it up to the openldap team. -Aaron *** libraries/libldap/tls.c.orig Sat Jan 26 14:55:02 2002 --- libraries/libldap/tls.c Wed Oct 30 15:00:05 2002 *************** *** 1121,1126 **** --- 1121,1127 ---- ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host ); if (ld->ld_errno != LDAP_SUCCESS) { + if (tls_opt_require_cert) return ld->ld_errno; }
changed notes changed state Open to Closed
changed notes changed state Closed to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
changed notes changed state Release to Closed
moved from Software Bugs to Archive.Software Bugs
Alternate fix in HEAD applied to RE21