[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8846) Patch to introduce new LDAP option to ignore hostname checking while verifying certificates in TLS mode
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8846) Patch to introduce new LDAP option to ignore hostname checking while verifying certificates in TLS mode
- From: michael@stroeder.com
- Date: Mon, 14 May 2018 13:25:24 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> c) DNS server is not set up I.e., the certificate could be issued
> with a name like â??netact.operatorâ??, but weâ??d be using 10.2.3.7, and
> DNS has not been setup in the operator internal network >
> But what we feel is that there should be an option to be chosen by
> user to either ignore or enable hostname checking.
If you're using ldaps://10.2.3.7 for connecting without DNS resolving
you could add a subjectAltName extension to your server cert containing
this particular IP address. That's basically just another GeneralName type.
You could also tweak your local /etc/hosts (preferrably with decent
config mgt.) to correctly map FQDN "netact.operator" to the IP address.
> Already we know
> that HTTP clients, for example, browsers provide such option to user
> and it's up to the user that whether to continue communication to the
> server or not, if hostname mismatch occurs.
Note that web browsers are driven interactively by users whereas LDAP
clients are most times systems without direct user interaction. In the
interactive case you simply delegate the informed trust decision to the
user which is a bad thing to do anyway. Therefore web browsers will also
limit this functionality in the not so far future.
Ciao, Michael.
P.S.:
Due to MIME processing deficiencies of the ITS your messages are
displayed base64-encoded and therefore hard to read:
https://www.openldap.org/its/index.cgi?findid=8846#followup4