[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How to turn of SSL Hostname check?

So after the discussion, did this one line patch ever make it into the

*** libraries/libldap/tls.c.orig        Sat Jan 26 14:55:02 2002
--- libraries/libldap/tls.c     Wed Oct 30 15:00:05 2002
*** 1121,1126 ****
--- 1121,1127 ----

        ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host );
        if (ld->ld_errno != LDAP_SUCCESS) {
+               if (tls_opt_require_cert)
                return ld->ld_errno;

Aaron Spangler
11/13/2002 08:25 AM

To:    "Howard Chu" <hyc@highlandsun.com> @ NWIE
cc:    "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>@NWIE,
       <spangla@nationwide.com>@NWIE, <openldap-bugs@OpenLDAP.org>@NWIE

Subject:    RE: How to turn of SSL Hostname check?  (Document link: Aaron

Howard & Kurt

Thank you.  I strongly agree with you!  Certificate validation and SSL host
name checks *need* to be in place!
That said, I have no control over the ldap servers in our environment.
(And thus I have no control of the non-existant and malformed certificates
that others have setup in the past).

Netscape's SDK, iPlanet's SDK, and IBM's SDK allow you to turn off this
feature in question.  OpenLDAP's client libraries appear to provide the
same switch.  However upon testing, the flag is ignorred and can be traced
back to one line of code.

So here is my proposed patch and my defense:

Defense: If an application specifically turns off certificate checking, why
require a hostname in a nonexistant or malformed certificate?

Thanks in advance for your help.

 - Aaron