Full_Name: Philippe Kueck Version: 2.4.23 / 2.4.26 OS: RHEL 6.1 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.98.65.86) When compiled against Mozilla/NSS OpenLDAP does not accept wildcard certificates. This is probably because in tls_m.c the certificate CN (*.domain.example) is matched against the hostname (foo.domain.example), not against the domain (.domain.example). I suggest the following patch: --%snip%-- diff -Nru openldap-2.4.26-orig/libraries/libldap/tls_m.c openldap-2.4.26/libraries/libldap/tls_m.c --- openldap-2.4.26-orig/libraries/libldap/tls_m.c 2011-06-30 17:13:36.000000000 +0200 +++ openldap-2.4.26/libraries/libldap/tls_m.c 2011-08-01 16:29:42.000000000 +0200 @@ -2590,7 +2590,7 @@ if ( av->len == nlen && !strncasecmp( name, (char *)av->data, nlen )) { ret = LDAP_SUCCESS; } else if ( av->data[0] == '*' && av->data[1] == '.' && - domain && dlen == av->len - 1 && !strncasecmp( name, + domain && dlen == av->len - 1 && !strncasecmp( domain, (char *)(av->data+1), dlen )) { ret = LDAP_SUCCESS; } else { --%snip%-- Kind regards, Philippe Kueck
changed notes changed state Open to Test moved from Incoming to Software Bugs
hash_oldap@cycdolphin.net wrote: > Full_Name: Philippe Kueck > Version: 2.4.23 / 2.4.26 > OS: RHEL 6.1 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (82.98.65.86) > > > When compiled against Mozilla/NSS OpenLDAP does not accept wildcard > certificates. > > This is probably because in tls_m.c the certificate CN (*.domain.example) is > matched against the hostname (foo.domain.example), not against the domain > (.domain.example). > > I suggest the following patch: Thanks for the report, fixed in master. > > --%snip%-- > diff -Nru openldap-2.4.26-orig/libraries/libldap/tls_m.c > openldap-2.4.26/libraries/libldap/tls_m.c > --- openldap-2.4.26-orig/libraries/libldap/tls_m.c 2011-06-30 17:13:36.000000000 > +0200 > +++ openldap-2.4.26/libraries/libldap/tls_m.c 2011-08-01 16:29:42.000000000 > +0200 > @@ -2590,7 +2590,7 @@ > if ( av->len == nlen&& !strncasecmp( name, (char *)av->data, nlen )) { > ret = LDAP_SUCCESS; > } else if ( av->data[0] == '*'&& av->data[1] == '.'&& > - domain&& dlen == av->len - 1&& !strncasecmp( name, > + domain&& dlen == av->len - 1&& !strncasecmp( domain, > (char *)(av->data+1), dlen )) { > ret = LDAP_SUCCESS; > } else { > --%snip%-- > > > Kind regards, > > Philippe Kueck > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Test to Release
changed notes changed state Release to Closed
fixed in master fixed in RE24