[Date Prev][Date Next]
Re: (ITS#5789) using IP address in CN with GnuTLS
> Full_Name: LÉVAI Dániel
> Version: 2.4.11
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (220.127.116.11)
> I'm using OpenLDAP 2.4.11 on a Debian testing/lenny system.
> The GnuTLS version is 2.4.2.
> So it seems, according to OpenLDAP, 192.168.1.3 != 192.168.1.3. Why is that?
> And please allow me include some additional information, which was told me by
> Philip Guenther on openldap-software@:
> "It appears the routine used with GNUtls
> refuses to match IP addresses against a CN subjects component, thus
> explaining that weird message.
> (In ldap_pvt_tls_check_hostname(), 'len1' is only non-zero if the hostname
> doesn't look like an IPv6 or IPv4 address, while the subject CN test needs
> 'len1' to be the same as the length of the CN value.)"
Thanks for the report, now fixed in HEAD.
Note that using an IP address in the CN is not the way you're supposed to
generate certs; IP addresses belong in the subjectAltName extension. The CN is
only supposed to contain a fully qualified domain name.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/