[Date Prev][Date Next]
Re: (ITS#5938) tls.c does not conform to RFC 4513
On Feb 10, 2009, at 7:56 AM, email@example.com wrote:
> Full_Name: nick hudson
> Version: 2.3.38
> OS: linux
> Submission from: (NULL) (220.127.116.11)
> I am looking at the code in tls.c, function
> (although the code has been refactored in recent versions, into e.g.
> but the same is true of the new code)
> I think the code is doing something that RFC 4513 says that it
> should not do.
> Specifically, ref RFC 4513 section 3.1.3 says:
> The server's identity may also be verified by comparing the
> identity to the Common Name (CN) [RFC4519] value in the leaf
> Distinguished Name (RDN) of the subjectName field of the server's
> certificate. This comparison is performed using the rules for
> comparison of DNS names in Section 18.104.22.168, below, with the
> that no wildcard matching is allowed.
> In tls.c (and the refactored code), you can see it's first
> attempting an exact
> comparison on subjectAltName, and if that fails it tries a wildcard
> match (which
> is ok, as per section 22.214.171.124)
> But if no subjectAltName match is found, there's another section
> which looks at
> the certificate's subjectname, in which it also does a wildcard
> match, although
> the RFC says this shouldn't be done.
This is a case where OpenLDAP library is purposely being 'liberal in
what it accepts'.