[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

Quanah Gibson-Mount wrote:
--On Tuesday, May 09, 2017 10:58 PM +0200 Michael Ströder
<michael@stroeder.com> wrote:

"subjectAltName" means *alternative* name. It is totally correct for
libldap to reject your cert with a hostname mismatch when the cert cn is

Human language can cause misunderstandings. So maybe I misread your
statement. But I'm reading your sentence that the CN must always match or
at least be a FQDN even if a subjectAltName value already matched.

No. One or the other must match, but the CN must be an FQDN. The point of alternatives is to support wildcards, aliases, and non-DNS name forms (such as IP address).

Right now, it requires that a value in subjectAltName match the local host
name, which is also invalid.

I know the purpose of the check is to allow
someone to use -H ldap://localhost to the ldap client, where the cert only
exists for the hostname (I.e., it has no DNS:localhost value).


 However, the
current code I maintain is incorrect in that it invalidates the current case,
where everything is restricted to "localhost".

No. "everything is restricted to localhost" is meaningless. Telling slapd to listen on "-h ldap://localhost"; doesn't change slapd's hostname to "localhost".

 Quite frankly, the certcn can
technically be anything, as long as at least one value in subjectAltName matches.


Unfortunately, I can't do an IP based cert either, since I've no idea what
"localhost" will actually map to on the system.

Sorry but that makes no sense. "localhost" is Always.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/