[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: tls_check_hostname (ITS#2161)



One suggestion: add subjectAltName=DNS:10.2.3.4 to your server cert.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support 

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> spangla@nationwide.com
> Sent: Wednesday, October 30, 2002 8:45 AM
> To: openldap-its@OpenLDAP.org
> Subject: tls_check_hostname (ITS#2161)
> 
> 
> Full_Name: Aaron Spangler
> Version: 2.1.4 & 2.0.25
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (155.188.255.8)
> 
> 
> Description: cannot turn off tls_check_hostname
> 
> I am using openldap + openssl(0.9.6g) to connect to an LDAP server.
> The server certificate subject is cn=servername.domain.domain
> 
> ldap_initialize(&ldp,"ldaps://servername.domain.domain") works great.
> 
> The problem is that we cannot rely on name resolution in our 
> environment.  I
> want to instead connect via the IP address to make things more stable.
> 
> ldap_initialize(&ldp,"ldaps://10.2.3.4") fails with 'TLS: 
> hostname does not
> match common name in certificate'
> 
> I tried using ldap_set_option for 
> LDAP_OPT_X_TLS_REQUIRE_CERT=0 which maps to
> the underlying ssl functions 
> SSL_CTX_set_verify(...,SSL_VERIFY_NONE,...)  But it
> appears to not make a difference.
> 
> On further investigation of 
> <openldap>/libraries/libldap/tls.c it looks as if
> ALWAYS called by ldap_int_tls_start() and there appears to be 
> no way to turn it
> off. [I checked openldap 2.1.4 & 2.0.25]
> 
> Any suggestions short of hard coding a return (LDAP_SUCCESS) inside of
> ldap_pvt_tls_check_hostname()?
> 
> Thanks for your help in advance.
> 
>  -Aaron Spangler
> 
>