[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch do not work with NLDAP over SSL

To: petr.olivka@vsb.cz
Subject: Re: ldapsearch do not work with NLDAP over SSL
From: spangla@nationwide.com
Date: Mon, 3 Mar 2003 12:56:08 -0500
Cc: openldap-bugs@OpenLDAP.org, owner-openldap-bugs@OpenLDAP.org, petr.olivka@vsb.cz

Poli,


In the past, I had written my own patch to work around this problem.

If I remember correctly, Howard put a change into the CVS HEAD recently on
this.  I think the bug number was ITS 2161.

 You might want to just apply the same change yourself before building the
code.

Go to the CVSWeb link on the www.openldap.org site.  Look under
libraries/libldap/tls.c file.  I cannot remember the exact change.
(I can't get to the web site right now).



                                                                                                                                       
                          Petr Olivka                                                                                                  
                          <petr.olivka@vsb.cz>     To:   <spangla@nationwide.com>                                                      
                                                   cc:   <petr.olivka@vsb.cz>, <openldap-bugs@OpenLDAP.org>,                           
                                                   <owner-openldap-bugs@OpenLDAP.org>                                                  
                                                   bcc:                                                                                
                                                   Subject:                                          Re: ldapsearch do not work with   
                          03/03/03 10:43 AM        NLDAP over SSL                                                                      
                                                                                                                                       
                                                                                                                                       




Yes, I see this in source. And what idea is in configuration file, for
"get server certificate" "never"? I did think, that when I never get
certificate from server, I will not check server name.
I think, that the server name check is bug, or I badly understand the
config file usage, probably.

poli



>
> OpenLDAP + OpenSSL requires the 'cn=' in the certificate to match exactly
> with the hostname you specify in your ldap_initialize().
> If it is a DNS name, it must match perfectly.  If it is an dotted IP
> address, it must match perfectly.  Its a security feature.
>
> By default 'stunnel' does not do the same check.
>
>  -Aaron
>
>
>
>
>
>                           Petr Olivka
>                           <petr.olivka@vsb.cz>     To:
<openldap-bugs@OpenLDAP.org>
>                                                    cc:
>                           Sent by:                 bcc:
>                           owner-openldap-bugs@Ope  Subject:
ldapsearch do not work with NLDAP
>                           nLDAP.org                over SSL
>
>
>
>                           02/03/03 08:32 AM
>
>
>
>
>
>
> Hi !
>
>   I have problem with ldaputilities to connect NLDAP server over SSL.
>
>   When function "tls_get_cert" call "ssl3_send_alert", then server close
>   connection (all finished when client send last 29 bytes to server with
>   function "write"). I do not know if allert is too serious, or any other
>   problem, but over stunnel all work fine.
>
>   ssl 0.9.6 and 0.9.7
>   openldap 2.1.12
>
>   Petr Olivka
>
>
>
>
>
>
>
>
>
>
>
>

Follow-Ups:
- Re: ldapsearch do not work with NLDAP over SSL
  - From: Petr Olivka <petr.olivka@vsb.cz>

Prev by Date: Re: Enabling monitor backend mucks with slapcat (ITS#2343)
Next by Date: The latest CLDAP fix render slapd not working in Solaris 64 bits mode (ITS#2344)
Index(es):
- Chronological
- Thread