[Date Prev][Date Next]
Re: TLS Server Identity Check
At 05:42 PM 11/24/00 +0100, Norbert Klasen wrote:
>"Kurt D. Zeilenga" wrote:
>> I crossed by replies... It was tls.c change I made a couple
>> very minor changes to. Also, I have yet to review the changes
>> in terms of RFC 2830 compliance (which states exactly how
>> server certs must be checked).
>Good point. RFC2830 states that:
> - The client MUST use the server hostname it used to open the LDAP
> connection as the value to compare against the server name as
> expressed in the server's certificate. The client MUST NOT use the
> server's canonical DNS name or any other derived form of name.
>Currently I get the hostname from ldap_host_connected_to() which DOES
>make an reverse lookup. ldap_host_connected_to() is also used in KBIND
>and SASL to determine the remote hostname. Shouldn't Kerberos and SASL
>also go by the initially specified hostname?
I believe the implementation of KBIND and SASL are correct for
KBIND and SASL. RFC2830 only applies to TLS as used by LDAP.
>And another point:
> If the hostname does not match the dNSName-based identity in the
> certificate per the above check, user-oriented clients SHOULD either
> notify the user (clients MAY give the user the opportunity to
> continue with the connection in any case) or terminate the connection
> and indicate that the server's identity is suspect. Automated clients
> SHOULD close the connection, returning and/or logging an error
> indicating that the server's identity is suspect.
>If we want to give clients a chance to let users override, the server
>identity check must be moved from ldap_pvt_tls_start(). But then what
>about automated clients. How's this best accounted for in a library?
There should be some callback which the caller can provide to
provide user feedback. In lieu of such a callback (or callback
mechanism), the library should be viewed as an "automated" client.