[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

--On Wednesday, May 10, 2017 7:01 PM +0200 Michael Ströder <michael@stroeder.com> wrote:

Quanah Gibson-Mount wrote:
--On Wednesday, May 10, 2017 4:21 PM +0100 Howard Chu <hyc@symas.com>

No. One or the other must match, but the CN must be an FQDN. The point
of alternatives is to support wildcards, aliases, and non-DNS name forms
(such as IP address).

RFC reference?

RFC 6125 which in turn mentions RFC 4513.


From RFC 6125:

6.4.4.  Checking of Common Names

  As noted, a client MUST NOT seek a match for a reference identifier
  of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
  URI-ID, or any application-specific identifier types supported by the

Therefore, as I noted, the certcn is immaterial since I have a DNS: value specified, and it is then required that the certcn be ignored. The rest of the RFC doesn't really cover special cases like localhost. I still see nothing in the RFC that states what's I'm doing is invalid. It does appear to be outside of what's normally done, but that's not surprising.



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: