[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5789) using IP address in CN with GnuTLS

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5789) using IP address in CN with GnuTLS
From: hyc@symas.com
Date: Tue, 4 Nov 2008 10:30:19 GMT

leva@ecentrum.hu wrote:
> Full_Name: LÉVAI Dániel
> Version: 2.4.11
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (78.131.56.68)
>
>
> I'm using OpenLDAP 2.4.11 on a Debian testing/lenny system.
> The GnuTLS version is 2.4.2.
>

> So it seems, according to OpenLDAP, 192.168.1.3 != 192.168.1.3. Why is that?
>
> And please allow me include some additional information, which was told me by
> Philip Guenther on openldap-software@:
> "It appears the routine used with GNUtls
> refuses to match IP addresses against a CN subjects component, thus
> explaining that weird message.
>
> (In ldap_pvt_tls_check_hostname(), 'len1' is only non-zero if the hostname
> doesn't look like an IPv6 or IPv4 address, while the subject CN test needs
> 'len1' to be the same as the length of the CN value.)"

Thanks for the report, now fixed in HEAD.

Note that using an IP address in the CN is not the way you're supposed to 
generate certs; IP addresses belong in the subjectAltName extension. The CN is 
only supposed to contain a fully qualified domain name.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#5791) searches with entryDN in the filter scan the whole db
Next by Date: Re: (ITS#5709) slapd sync provider skips some objects
Index(es):
- Chronological
- Thread