[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS hostname check screwed up?

Michael Ströder wrote:

I'm using libldap of RE24 and have a problem with host name checking when
doing TLS.

OpenLDAP's debug output (real hostname exactly replaced by srv.domain.local):

------------------------------ snip ------------------------------
TLS: hostname (srv.domain.local.) does not match common name in certificate
------------------------------ snip ------------------------------

Is this because of the trailing dot?

Probably. The RFC requires an exact match, there's no exception for dots.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/