[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7194) tlso_session_chkhost issue for OpenSSL TLS
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7194) tlso_session_chkhost issue for OpenSSL TLS
- From: hyc@symas.com
- Date: Fri, 9 Mar 2012 03:37:18 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
dimosthenis.pettas@nsn.com wrote:
> Full_Name: Dimosthenis Pettas
> Version: 2.4.23
> OS: SOLARIS
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (62.159.77.167)
Thanks for the report, fixed in git master.
>
> I use OpenLDAP version 2.4.23 client to connect via TLS to an LDAP
> server(slapd).
> i initialize connection with an IPV6 address using url
> ldap://[fd00:1111:1111:72:20c:29ff:fec5:4ade]:389 and then try to extend
> connection to TLS with calling ldap_start_tls_s. when trying to match
> client-server certificates hosts inside tlso_session_chkhost in tls_o.c we try
> to determine client host type(IS_DNS,IS_IP4,IS_IP6) but for IPV6 it expects to
> find "[" at first position and "]" at latst one to determine IPV6 address:
>
> #ifdef LDAP_PF_INET6
> if (name[0] == '['&& strchr(name, ']')) {
> char *n2 = ldap_strdup(name+1);
> *strchr(n2, ']') = 0;
> if (inet_pton(AF_INET6, n2,&addr))
> ntype = IS_IP6;
> LDAP_FREE(n2);
> } else
>
> but it seems that [] have been removed inside ldap_url_parse_ext in Url.c:
>
>
> /* If [ip address]:port syntax, url is [ip and we skip the [ */
> ludp->lud_host = LDAP_STRDUP( url + is_v6 );
>
> So name is not [fd00:1111:1111:72:20c:29ff:fec5:4ade] but
> fd00:1111:1111:72:20c:29ff:fec5:4ade and code above fails to determine ntype =
> IS_IP6.
>
> i modified code to:
>
> #ifdef LDAP_PF_INET6
>
> if (inet_pton(AF_INET6, name,&addr))
> {
> ntype = IS_IP6;
>
> } else
> #endif
> if ((ptr = strrchr(name, '.'))&& isdigit((unsigned char)ptr[1])) {
> if (inet_aton(name, (struct in_addr *)&addr))
> {
> ntype = IS_IP4;
>
> }
> }
>
> letting functions inet_pton and inet_aton determing IP type.Scenario worked.
> Let me know if i miss anything or this should be corrected.
>
> Sorry for submitting again ,i wanted to correct email address
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/