[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

To: Quanah Gibson-Mount <quanah@symas.com>, Michael Ströder <michael@stroeder.com>, openldap-devel@openldap.org
Subject: Re: Bug in tlso_session_chkhost?
From: Howard Chu <hyc@symas.com>
Date: Wed, 10 May 2017 18:02:34 +0100
In-reply-to: <A32F20071B8440F8CBA43B4D@[192.168.1.19]>
References: <2A006134276576B5A86D7A20@[192.168.1.19]> <WM!5e51e5d1a2ead3cba930ae31eb41d9bab1158bfe4fd4f1b3bc39bd41f8f6b36433bb02251fc67302a616e363c8ee0337!@mailstronghold-2.zmailcloud.com> <9744ec5c-90c0-68e3-5c7a-ace68fbd711d@symas.com> <796AD360ECF1C55A642A8F3B@[192.168.1.19]> <fa41d889-fd9b-07f9-5d09-2f0760d583b3@symas.com> <71671977-6211-348b-c8ac-586d4af0e031@stroeder.com> <WM!f23f84644cc0e2f103ba5c9aba1bd61059b687261a1c4293c1677863d7668e3bac63d2fb954d030905651563e1e4d1db!@mailstronghold-2.zmailcloud.com> <2817658C7EA0A04BD6B8FA96@[192.168.1.19]> <60b094bf-a6b5-0dd7-d9c8-1aa25c765ebb@symas.com> <18BEB0EE5AD7F275CA3F4C6C@[192.168.1.19]> <7c8f2d5d-c189-8cb8-6c85-c322ac9d0df4@stroeder.com> <WM!770ed6a5d960360597ba3e402bfccdf09b18b96e6c6eb2bce2af8c9a08adcc603344ea35d82d0a31dddc85006980c642!@mailstronghold-1.zmailcloud.com> <A32F20071B8440F8CBA43B4D@[192.168.1.19]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Quanah Gibson-Mount wrote:

--On Wednesday, May 10, 2017 7:01 PM +0200 Michael Ströder
<michael@stroeder.com> wrote:

Quanah Gibson-Mount wrote:

--On Wednesday, May 10, 2017 4:21 PM +0100 Howard Chu <hyc@symas.com>
wrote:

No. One or the other must match, but the CN must be an FQDN. The point
of alternatives is to support wildcards, aliases, and non-DNS name forms
(such as IP address).


RFC reference?


RFC 6125 which in turn mentions RFC 4513.


Thanks.

From RFC 6125:


6.4.4.  Checking of Common Names

  As noted, a client MUST NOT seek a match for a reference identifier
  of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
  URI-ID, or any application-specific identifier types supported by the
  client.


Therefore, as I noted, the certcn is immaterial since I have a DNS: value
specified, and it is then required that the certcn be ignored.  The rest of
the RFC doesn't really cover special cases like localhost.  I still see
nothing in the RFC that states what's I'm doing is invalid.  It does appear to
be outside of what's normally done, but that's not surprising.

The point is there is nothing on your machine that says your hostname is"localhost". Therefore, since the subjectAltName of DNS:localhost doesn'tmatch any known name for your host, the cert is rejected.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>

References:
- Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Bug in tlso_session_chkhost?
Next by Date: Re: Bug in tlso_session_chkhost?
Index(es):
- Chronological
- Thread