[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

--On Wednesday, May 10, 2017 7:02 PM +0100 Howard Chu <hyc@symas.com> wrote:

The point is there is nothing on your machine that says your hostname is
"localhost". Therefore, since the subjectAltName of DNS:localhost doesn't
match any known name for your host, the cert is rejected.

Sure there is, /etc/hosts. And as I noted, per RFC 6761, "localhost." is a recognized domain. The OpenLDAP code is incorrect.

A better solution would be for the localhost case to check if (a) the cert has a match, and if it fails, then fall back to see if it matches ldap_int_hostname.



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: