[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7014) TLS: certificate hostnames are being checked when TLS_REQCERT is se to allow

Full_Name: Jan Vcelak
Version: master
OS: Linux
URL: http://jvcelak.fedorapeople.org/openldap/0001-TLS-do-not-check-hostname-when-reqcert-is-allow.patch
Submission from: (NULL) (


If server certificate hostname does not match the server hostname, connection is
closed even if client has set TLS_REQCERT to 'allow'. This is wrong - the
documentation says, that bad certificates are being ignored when TLS_REQCERT is
set to 'allow'. (Other certificate failures (like invalid CA) are handled as
expected - at least with MozNSS.)

I'm attaching patch, which fixes this behavior. The patch applies on master
branch. (OpenLDAP FTP server for incoming patches reports 'No space left on
device.', that's why I uploaded the patch to fedorapeople.org.)