[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

To: Michael Ströder <michael@stroeder.com>, Howard Chu <hyc@symas.com>, openldap-devel@openldap.org
Subject: Re: Bug in tlso_session_chkhost?
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Wed, 10 May 2017 09:11:36 -0700
Content-disposition: inline
In-reply-to: <WM!770ed6a5d960360597ba3e402bfccdf09b18b96e6c6eb2bce2af8c9a08adcc603344ea35d82d0a31dddc85006980c642!@mailstronghold-1.zmailcloud.com>
References: <2A006134276576B5A86D7A20@[192.168.1.19]> <WM!5e51e5d1a2ead3cba930ae31eb41d9bab1158bfe4fd4f1b3bc39bd41f8f6b36433bb02251fc67302a616e363c8ee0337!@mailstronghold-2.zmailcloud.com> <9744ec5c-90c0-68e3-5c7a-ace68fbd711d@symas.com> <796AD360ECF1C55A642A8F3B@[192.168.1.19]> <fa41d889-fd9b-07f9-5d09-2f0760d583b3@symas.com> <71671977-6211-348b-c8ac-586d4af0e031@stroeder.com> <WM!f23f84644cc0e2f103ba5c9aba1bd61059b687261a1c4293c1677863d7668e3bac63d2fb954d030905651563e1e4d1db!@mailstronghold-2.zmailcloud.com> <2817658C7EA0A04BD6B8FA96@[192.168.1.19]> <60b094bf-a6b5-0dd7-d9c8-1aa25c765ebb@symas.com> <18BEB0EE5AD7F275CA3F4C6C@[192.168.1.19]> <7c8f2d5d-c189-8cb8-6c85-c322ac9d0df4@stroeder.com> <WM!770ed6a5d960360597ba3e402bfccdf09b18b96e6c6eb2bce2af8c9a08adcc603344ea35d82d0a31dddc85006980c642!@mailstronghold-1.zmailcloud.com>

--On Wednesday, May 10, 2017 7:01 PM +0200 Michael Ströder<michael@stroeder.com> wrote:

Quanah Gibson-Mount wrote:

--On Wednesday, May 10, 2017 4:21 PM +0100 Howard Chu <hyc@symas.com>
wrote:

No. One or the other must match, but the CN must be an FQDN. The point
of alternatives is to support wildcards, aliases, and non-DNS name forms
(such as IP address).


RFC reference?


RFC 6125 which in turn mentions RFC 4513.


Thanks.

From RFC 6125:


6.4.4.  Checking of Common Names

  As noted, a client MUST NOT seek a match for a reference identifier
  of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
  URI-ID, or any application-specific identifier types supported by the
  client.

Therefore, as I noted, the certcn is immaterial since I have a DNS: valuespecified, and it is then required that the certcn be ignored. The rest ofthe RFC doesn't really cover special cases like localhost. I still seenothing in the RFC that states what's I'm doing is invalid. It does appearto be outside of what's normally done, but that's not surprising.


--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>

References:
- Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Bug in tlso_session_chkhost?
Next by Date: Re: Bug in tlso_session_chkhost?
Index(es):
- Chronological
- Thread