[Date Prev][Date Next] [Chronological] [Thread] [Top]

Bug in tlso_session_chkhost?

To: openldap-devel@openldap.org
Subject: Bug in tlso_session_chkhost?
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Mon, 08 May 2017 14:38:34 -0700
Content-disposition: inline

For the test suite, I've generated a server cert with:

Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite,CN=localhost


and

           X509v3 Subject Alternative Name:
               DNS:localhost

slapd is listening as:

/home/build/git/symas-packages/thirdparty/openldap/build/UBUNTU16_64/symas-openldap/servers/slapd/.libs/lt-slapd-s0 -f/home/build/git/symas-packages/thirdparty/openldap/build/UBUNTU16_64/symas-openldap/tests/testrun/slapd.1.conf-h ldap://localhost:9011/ ldaps://localhost:9012/ -d 0x4105

I.e., slapd is referring to itself as "localhost", and the cert fullyrefers to itself as "localhost".

However, if I do a startTLS op to this host with reqcert set to "demand",it fails with:

TLS: hostname (u16build) does not match common name in certificate(localhost).

Given that everything is using "localhost", it seems to me it shouldsucceed rather than fail, and that this error is incorrect.


The issue seems to be this if statement in tls_o.c:

       if( ldap_int_hostname &&
               ( !name_in || !strcasecmp( name_in, "localhost" ) ) )
       {

if I remove the check against the "localhost" name, things succeed asexpected.


Is there something valid we are trying to protect against here?

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Prev by Date: Fwd: Discussion on Hacker News about CMU discontinuing Cyrus
Next by Date: Re: Bug in tlso_session_chkhost?
Index(es):
- Chronological
- Thread