[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

--On Tuesday, May 09, 2017 10:58 PM +0200 Michael Ströder <michael@stroeder.com> wrote:

"subjectAltName" means *alternative* name. It is totally correct for
libldap to reject your cert with a hostname mismatch when the cert cn is

Human language can cause misunderstandings. So maybe I misread your
statement. But I'm reading your sentence that the CN must always match or
at least be a FQDN even if a subjectAltName value already matched.

Right now, it requires that a value in subjectAltName match the local host name, which is also invalid. I know the purpose of the check is to allow someone to use -H ldap://localhost to the ldap client, where the cert only exists for the hostname (I.e., it has no DNS:localhost value). However, the current code I maintain is incorrect in that it invalidates the current case, where everything is restricted to "localhost". Quite frankly, the certcn can technically be anything, as long as at least one value in subjectAltName matches.

Unfortunately, I can't do an IP based cert either, since I've no idea what "localhost" will actually map to on the system.



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: