[Date Prev][Date Next]
Re: Bug in tlso_session_chkhost?
- To: Quanah Gibson-Mount <firstname.lastname@example.org>, email@example.com
- Subject: Re: Bug in tlso_session_chkhost?
- From: Howard Chu <firstname.lastname@example.org>
- Date: Tue, 9 May 2017 10:01:31 +0100
- In-reply-to: <WMemail@example.com>
- References: <2A006134276576B5A86D7A20@[192.168.1.19]> <WMfirstname.lastname@example.org>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2
Quanah Gibson-Mount wrote:
For the test suite, I've generated a server cert with:
Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite, CN=localhost
X509v3 Subject Alternative Name:
slapd is listening as:
-h ldap://localhost:9011/ ldaps://localhost:9012/ -d 0x4105
I.e., slapd is referring to itself as "localhost", and the cert fully refers
to itself as "localhost".
However, if I do a startTLS op to this host with reqcert set to "demand", it
TLS: hostname (u16build) does not match common name in certificate (localhost).
Given that everything is using "localhost", it seems to me it should succeed
rather than fail, and that this error is incorrect.
The issue seems to be this if statement in tls_o.c:
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
if I remove the check against the "localhost" name, things succeed as expected.
Fwiw, I routinely test with a localhost cert, and this check has never tripped
for me. But my ldap_int_hostname is also "localhost" - apparently something on
your system insists that your hostname is "u16build".
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/