7006 – openldap does not accept wildcard certificates with mozilla/nss

Issue 7006 - openldap does not accept wildcard certificates with mozilla/nss

Summary: openldap does not accept wildcard certificates with mozilla/nss

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-08-01 14:32 UTC by hash_oldap@cycdolphin.net
Modified:	2014-08-01 21:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description hash_oldap@cycdolphin.net 2011-08-01 14:32:44 UTC

Full_Name: Philippe Kueck
Version: 2.4.23 / 2.4.26
OS: RHEL 6.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.98.65.86)


When compiled against Mozilla/NSS OpenLDAP does not accept wildcard
certificates.

This is probably because in tls_m.c the certificate CN (*.domain.example) is
matched against the hostname (foo.domain.example), not against the domain
(.domain.example).

I suggest the following patch:

--%snip%--
diff -Nru openldap-2.4.26-orig/libraries/libldap/tls_m.c
openldap-2.4.26/libraries/libldap/tls_m.c
--- openldap-2.4.26-orig/libraries/libldap/tls_m.c	2011-06-30 17:13:36.000000000
+0200
+++ openldap-2.4.26/libraries/libldap/tls_m.c	2011-08-01 16:29:42.000000000
+0200
@@ -2590,7 +2590,7 @@
 				if ( av->len == nlen && !strncasecmp( name, (char *)av->data, nlen )) {
 					ret = LDAP_SUCCESS;
 				} else if ( av->data[0] == '*' && av->data[1] == '.' &&
-					domain && dlen == av->len - 1 && !strncasecmp( name,
+					domain && dlen == av->len - 1 && !strncasecmp( domain,
 						(char *)(av->data+1), dlen )) {
 					ret = LDAP_SUCCESS;
 				} else {
--%snip%--


Kind regards,

Philippe Kueck

Comment 1 Howard Chu 2011-09-30 10:28:09 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 2 Howard Chu 2011-09-30 10:28:15 UTC

hash_oldap@cycdolphin.net wrote:
> Full_Name: Philippe Kueck
> Version: 2.4.23 / 2.4.26
> OS: RHEL 6.1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (82.98.65.86)
>
>
> When compiled against Mozilla/NSS OpenLDAP does not accept wildcard
> certificates.
>
> This is probably because in tls_m.c the certificate CN (*.domain.example) is
> matched against the hostname (foo.domain.example), not against the domain
> (.domain.example).
>
> I suggest the following patch:

Thanks for the report, fixed in master.
>
> --%snip%--
> diff -Nru openldap-2.4.26-orig/libraries/libldap/tls_m.c
> openldap-2.4.26/libraries/libldap/tls_m.c
> --- openldap-2.4.26-orig/libraries/libldap/tls_m.c	2011-06-30 17:13:36.000000000
> +0200
> +++ openldap-2.4.26/libraries/libldap/tls_m.c	2011-08-01 16:29:42.000000000
> +0200
> @@ -2590,7 +2590,7 @@
>   				if ( av->len == nlen&&  !strncasecmp( name, (char *)av->data, nlen )) {
>   					ret = LDAP_SUCCESS;
>   				} else if ( av->data[0] == '*'&&  av->data[1] == '.'&&
> -					domain&&  dlen == av->len - 1&&  !strncasecmp( name,
> +					domain&&  dlen == av->len - 1&&  !strncasecmp( domain,
>   						(char *)(av->data+1), dlen )) {
>   					ret = LDAP_SUCCESS;
>   				} else {
> --%snip%--
>
>
> Kind regards,
>
> Philippe Kueck
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 3 Quanah Gibson-Mount 2011-11-02 23:22:00 UTC

changed notes
changed state Test to Release

Comment 4 Quanah Gibson-Mount 2011-11-28 18:37:42 UTC

changed notes
changed state Release to Closed

Comment 5 OpenLDAP project 2014-08-01 21:04:39 UTC

fixed in master
fixed in RE24