[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6838) TLS client will not accept certificate for 'localhost'

On Fri, Feb 18, 2011 at 12:30:25AM +0000, hyc@symas.com wrote:

> Used to work - since when, what release, what else has changed since then? 

Unfortunately I cannot tell you exactly when this changed. In any case,
the change only affects a different bug which was masking the problem
that I now see.

I do know that 2.3.32 as shipped with SLES 10.3 masks the problem by
not checking the server certificate properly. So does 2.4.12 as shipped
with OpenSuSE 11.1. Both will allow ldapsearch -ZZ to connect to *any*
TLS-capable server if they do *not* have access to the CA certificate.

2.4.24 built on OpenSuSE 11.3 (i.e. using OpenSSL 1.0) correctly refuses
to connect if there is no CA cert.

All versions that I have tested (certainly back to 2.3.32) incorrectly
fail to connect when the URL is ldap://localhost:1389/ and a CA cert is

> I'll note that I just tested some localhost certs a few days ago and they were 
> fine, and the cert verification code hasn't changed in quite a long time.
> (E.g., ITS#6711 the test setup there uses localhost with no problem.)

Hmm - that seems to be server-to-server. My problem is with the client
tools, so maybe a different code-path is used.

I have put a small test case here:

The server cert is valid for 'localhost' and also for ''

The tests are:

        sh 1-plain
                Plain LDAP connection - no problems
                Connects to ldap://localhost:1389/

        sh 2-tls-no-ca
                With TLS but client has no access to the CA cert so this should fail
                with a complaint about 'self-signed certificate'

        sh 3-tls-with-ca
                With TLS and access to the CA cert.
                Connects to ldap://localhost:1389/
                This should succeed but it does not.

        sh 4-tls-with-ca-numeric
                With TLS and access to the CA cert.
                This one uses ldap:// and succeeds.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |