Re: (ITS#8846) Patch to introduce new LDAP option to ignore hostname checking while verifying certificates in TLS mode

[sudhir.singam@gmail.com]

Hi,

Thanks for the reply.

For DNS use case,

"
Operator may make certificates only once in a while (as they cost),
and at that point it is not certain that all IP addresses are known.
They likely might now only know the current literal address, but the
numeric address can change in the lifetime of the certificate

Changing /etc/hosts is not possible, as this configuration is not
supported for operators.
"

Still we feel configuration is a good thing, i.e., if one explicitly
wants to allow a connection despite of warnings (i.e., has analysed
the warning to be a false positive), that should still be acceptable,
and not unilaterally bad. Also, one needs to be able to distinguish
between =E2=80=9Cnormal=E2=80=9D network (open for everyone), and an operat=
or-internal
network: requirements for these two are different, and if one library
is to serve both, it should be able to handle (=3Dbeing configurable)
both use cases.

System configuration setup is anyway also done by a human, so if
someone wants explicitly disable some checks for automated clients, it
is logically similar to a human pressing some =E2=80=9Cacknowledge=E2=80=9D=
 button.

And i don't think the browsers are going to remove it, at most they
may move this option to settings. I think nobody wants a monolithic
browser that cannot be tailored for user needs, which anyway cannot be
anticipated by the browser maker. Whether it is interactive or
configuration based does not matter as long as the configuration is
there somehow. And the same logic applies also for LDAP ;)

But then openLDAP or openSSL is already providing options to ignore
some of the certificate errors, for example, i can set SSL verify call
back function via LDAP options to ignore certificate CRL errors and
continue the connection. So i still wonder why it is not possible in
this case and feel it has to be user configurable.

Regards,
Sudhir,
NOKIA