[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP Need to be compliant with RFC 2830 (with regards to Server Identity Check) (ITS#1490)

Full_Name: Kyle Johnson
Version: 2.0.11
OS: RedHat Linux 7.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

We have an enterprise LDAP directory to which connections will only be allowed
via a secure connection (i.e. SSL).  The server has a signed certificate from
Verisgn, but we are unable to establish a secure connection.  It appears that
OpenLDAP is expecting (demanding really) that the CNAME in the DNS match the
certificate.  However, that is in direct violation of RFC 2830, which states:

3.6.  Server Identity Check

   The client MUST check its understanding of the server's hostname
   against the server's identity as presented in the server's
   Certificate message, in order to prevent man-in-the-middle attacks.

   Matching is performed according to these rules:

   - The client MUST use the server hostname it used to open the LDAP
     connection as the value to compare against the server name as
     expressed in the server's certificate.  The client MUST NOT use the
     server's canonical DNS name or any other derived form of name.

   - If a subjectAltName extension of type dNSName is present in the
     certificate, it SHOULD be used as the source of the server's

   - Matching is case-insensitive.

   - The "*" wildcard character is allowed.  If present, it applies only
     to the left-most name component.
Note the first rule.  That is where the problem is.