[Date Prev][Date Next] [Chronological] [Thread] [Top]

tls_check_hostname (ITS#2161)



Full_Name: Aaron Spangler
Version: 2.1.4 & 2.0.25
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (155.188.255.8)


Description: cannot turn off tls_check_hostname

I am using openldap + openssl(0.9.6g) to connect to an LDAP server.
The server certificate subject is cn=servername.domain.domain

ldap_initialize(&ldp,"ldaps://servername.domain.domain") works great.

The problem is that we cannot rely on name resolution in our environment.  I
want to instead connect via the IP address to make things more stable.

ldap_initialize(&ldp,"ldaps://10.2.3.4") fails with 'TLS: hostname does not
match common name in certificate'

I tried using ldap_set_option for LDAP_OPT_X_TLS_REQUIRE_CERT=0 which maps to
the underlying ssl functions SSL_CTX_set_verify(...,SSL_VERIFY_NONE,...)  But it
appears to not make a difference.

On further investigation of <openldap>/libraries/libldap/tls.c it looks as if
ALWAYS called by ldap_int_tls_start() and there appears to be no way to turn it
off. [I checked openldap 2.1.4 & 2.0.25]

Any suggestions short of hard coding a return (LDAP_SUCCESS) inside of
ldap_pvt_tls_check_hostname()?

Thanks for your help in advance.

 -Aaron Spangler