[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8846) Patch to introduce new LDAP option to ignore hostname checking while verifying certificates in TLS mode

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8846) Patch to introduce new LDAP option to ignore hostname checking while verifying certificates in TLS mode
From: hyc@symas.com
Date: Sun, 06 May 2018 18:14:47 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

sudhir.singam@nokia.com wrote:
> Full_Name: Singam Sudhir Reddy
> Version: master branch
> OS: fedora
> URL: ftp://ftp.openldap.org/incoming/sudhirsingam-180506.patch
> Submission from: (NULL) (61.1.232.154)
> 
> 
> The attached file is derived from OpenLDAP Software. All of the modifications to
> OpenLDAP Software represented in the following patch(es) were developed by
> NOKIA. NOKIA has not assigned rights and/or interest in this work to any party.
> I, SINGAM SUDHIR REDDY authorized by NOKIA, my employer, to release this work
> under the following terms.
> 
> NOKIA hereby place the following modifications to OpenLDAP Software (and only
> these modifications) into the public domain. Hence, these modifications may be
> freely used and/or redistributed for any purpose with or without attribution
> and/or other notice.
> 
> ****
> Description:
> 
> This is minor enhancement to introduce a new LDAP option
> "LDAP_OPT_X_TLS_DEMAND_EXCL_HOSTNAME_CHECK" to ignore hostname checking by
> client in TLS communication mode. This is very similar to
> "LDAP_OPT_X_TLS_DEMAND" LDAP option except that HOSTNAME checking is ignored.
> 
> This option can be set by client either by using LDAP API "ldap_set_option" or
> can be globally set in the configuration file /etc/openldap/ldap.conf like
> below.
> 
> TLS_REQCERT demand_excl_hostname_check
> 
> Purpose:
> 
> Generally operators use same set of certificates for different services (from
> different hosts) which support TLS communication. When such certificates are
> used, this option gives facility for openldap based services to ignore hostname
> checking at client side.

No. If you're using a single set of certificates for multiple hosts you should 
be using a wildcard cert. Closing this ITS.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side
Next by Date: Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side
Index(es):
- Chronological
- Thread