[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

--On Wednesday, May 10, 2017 10:49 AM -0700 Ryan Tandy <ryan@nardis.ca> wrote:

On Wed, May 10, 2017 at 09:32:59AM -0700, Quanah Gibson-Mount wrote:
RFC 6761 specifically notes that "localhost." is in fact a domain name
(Section 6.3).  Therefore, my certificates are in fact correct, and
the OpenLDAP code check is indeed a bug.

"localhost." is a perfectly valid FQDN (as is the relatively common
"localhost.localdomain."), but from earlier in the thread I gathered your
system's FQDN is actually "u16build." or "u16build.some.domain.".

The FQDN of the system is immaterial. The point is to have a certificate without *any* reference to the system hostname, and be entirely based on localhost. The RFCs seem to indicate that is perfectly legitimate. It is the OpenLDAP code check that breaks this ability.



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: