[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

To: Michael Ströder <michael@stroeder.com>, Howard Chu <hyc@symas.com>, openldap-devel@openldap.org
Subject: Re: Bug in tlso_session_chkhost?
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Wed, 10 May 2017 09:32:59 -0700
Content-disposition: inline
In-reply-to: <WM!42c3ba3dcf596e6dd0bda2effc112f7dab8fe3d1c290c959d1c4d15622a11cb9e27d0712e325e20c3ece9ad2b781f02e!@mailstronghold-3.zmailcloud.com>
References: <2A006134276576B5A86D7A20@[192.168.1.19]> <WM!5e51e5d1a2ead3cba930ae31eb41d9bab1158bfe4fd4f1b3bc39bd41f8f6b36433bb02251fc67302a616e363c8ee0337!@mailstronghold-2.zmailcloud.com> <9744ec5c-90c0-68e3-5c7a-ace68fbd711d@symas.com> <796AD360ECF1C55A642A8F3B@[192.168.1.19]> <fa41d889-fd9b-07f9-5d09-2f0760d583b3@symas.com> <71671977-6211-348b-c8ac-586d4af0e031@stroeder.com> <WM!f23f84644cc0e2f103ba5c9aba1bd61059b687261a1c4293c1677863d7668e3bac63d2fb954d030905651563e1e4d1db!@mailstronghold-2.zmailcloud.com> <2817658C7EA0A04BD6B8FA96@[192.168.1.19]> <60b094bf-a6b5-0dd7-d9c8-1aa25c765ebb@symas.com> <18BEB0EE5AD7F275CA3F4C6C@[192.168.1.19]> <7c8f2d5d-c189-8cb8-6c85-c322ac9d0df4@stroeder.com> <WM!770ed6a5d960360597ba3e402bfccdf09b18b96e6c6eb2bce2af8c9a08adcc603344ea35d82d0a31dddc85006980c642!@mailstronghold-1.zmailcloud.com> <A32F20071B8440F8CBA43B4D@[192.168.1.19]> <WM!42c3ba3dcf596e6dd0bda2effc112f7dab8fe3d1c290c959d1c4d15622a11cb9e27d0712e325e20c3ece9ad2b781f02e!@mailstronghold-3.zmailcloud.com>

--On Wednesday, May 10, 2017 10:11 AM -0700 Quanah Gibson-Mount<quanah@symas.com> wrote:

RFC 6125 which in turn mentions RFC 4513.


Thanks.

From RFC 6125:


6.4.4.  Checking of Common Names

   As noted, a client MUST NOT seek a match for a reference identifier
   of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
   URI-ID, or any application-specific identifier types supported by the
   client.


Therefore, as I noted, the certcn is immaterial since I have a DNS: value
specified, and it is then required that the certcn be ignored.  The rest
of the RFC doesn't really cover special cases like localhost.  I still
see nothing in the RFC that states what's I'm doing is invalid.  It does
appear to be outside of what's normally done, but that's not surprising.

RFC 6761 specifically notes that "localhost." is in fact a domain name(Section 6.3). Therefore, my certificates are in fact correct, and theOpenLDAP code check is indeed a bug.


--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Bug in tlso_session_chkhost?
  - From: Ryan Tandy <ryan@nardis.ca>

References:
- Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Bug in tlso_session_chkhost?
Next by Date: Re: Bug in tlso_session_chkhost?
Index(es):
- Chronological
- Thread