[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

To: Quanah Gibson-Mount <quanah@symas.com>, Michael Ströder <michael@stroeder.com>, openldap-devel@openldap.org
Subject: Re: Bug in tlso_session_chkhost?
From: Howard Chu <hyc@symas.com>
Date: Wed, 10 May 2017 15:21:33 +0100
In-reply-to: <2817658C7EA0A04BD6B8FA96@[192.168.1.19]>
References: <2A006134276576B5A86D7A20@[192.168.1.19]> <WM!5e51e5d1a2ead3cba930ae31eb41d9bab1158bfe4fd4f1b3bc39bd41f8f6b36433bb02251fc67302a616e363c8ee0337!@mailstronghold-2.zmailcloud.com> <9744ec5c-90c0-68e3-5c7a-ace68fbd711d@symas.com> <796AD360ECF1C55A642A8F3B@[192.168.1.19]> <fa41d889-fd9b-07f9-5d09-2f0760d583b3@symas.com> <71671977-6211-348b-c8ac-586d4af0e031@stroeder.com> <WM!f23f84644cc0e2f103ba5c9aba1bd61059b687261a1c4293c1677863d7668e3bac63d2fb954d030905651563e1e4d1db!@mailstronghold-2.zmailcloud.com> <2817658C7EA0A04BD6B8FA96@[192.168.1.19]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Quanah Gibson-Mount wrote:

--On Tuesday, May 09, 2017 10:58 PM +0200 Michael Ströder
<michael@stroeder.com> wrote:

"subjectAltName" means *alternative* name. It is totally correct for
libldap to reject your cert with a hostname mismatch when the cert cn is
incorrect.


Human language can cause misunderstandings. So maybe I misread your
statement. But I'm reading your sentence that the CN must always match or
at least be a FQDN even if a subjectAltName value already matched.

No. One or the other must match, but the CN must be an FQDN. The point ofalternatives is to support wildcards, aliases, and non-DNS name forms (such asIP address).

Right now, it requires that a value in subjectAltName match the local host
name, which is also invalid.

I know the purpose of the check is to allow
someone to use -H ldap://localhost to the ldap client, where the cert only
exists for the hostname (I.e., it has no DNS:localhost value).


Yes.

 However, the
current code I maintain is incorrect in that it invalidates the current case,
where everything is restricted to "localhost".

No. "everything is restricted to localhost" is meaningless. Telling slapd tolisten on "-h ldap://localhost"; doesn't change slapd's hostname to "localhost".

 Quite frankly, the certcn can
technically be anything, as long as at least one value in subjectAltName matches.


Agreed.

Unfortunately, I can't do an IP based cert either, since I've no idea what
"localhost" will actually map to on the system.


Sorry but that makes no sense. "localhost" is 127.0.0.1. Always.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>

References:
- Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Bug in tlso_session_chkhost?
Next by Date: Re: Bug in tlso_session_chkhost?
Index(es):
- Chronological
- Thread