Full_Name: Jan Vcelak Version: master OS: Linux URL: http://jvcelak.fedorapeople.org/openldap/0001-TLS-do-not-check-hostname-when-reqcert-is-allow.patch Submission from: (NULL) (209.132.186.34) Hello. If server certificate hostname does not match the server hostname, connection is closed even if client has set TLS_REQCERT to 'allow'. This is wrong - the documentation says, that bad certificates are being ignored when TLS_REQCERT is set to 'allow'. (Other certificate failures (like invalid CA) are handled as expected - at least with MozNSS.) I'm attaching patch, which fixes this behavior. The patch applies on master branch. (OpenLDAP FTP server for incoming patches reports 'No space left on device.', that's why I uploaded the patch to fedorapeople.org.) Regards, Jan
changed notes changed state Open to Test moved from Incoming to Software Bugs
jvcelak@redhat.com wrote: > Full_Name: Jan Vcelak > Version: master > OS: Linux > URL: http://jvcelak.fedorapeople.org/openldap/0001-TLS-do-not-check-hostname-when-reqcert-is-allow.patch > Submission from: (NULL) (209.132.186.34) > > > Hello. > > If server certificate hostname does not match the server hostname, connection is > closed even if client has set TLS_REQCERT to 'allow'. This is wrong - the > documentation says, that bad certificates are being ignored when TLS_REQCERT is > set to 'allow'. (Other certificate failures (like invalid CA) are handled as > expected - at least with MozNSS.) > > I'm attaching patch, which fixes this behavior. The patch applies on master > branch. (OpenLDAP FTP server for incoming patches reports 'No space left on > device.', that's why I uploaded the patch to fedorapeople.org.) Thanks, applied to master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Test to Release
changed notes changed state Release to Closed
applied to master applied to RE24