[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

To: Quanah Gibson-Mount <quanah@symas.com>, Ryan Tandy <ryan@nardis.ca>, openldap-devel@openldap.org
Subject: Re: Bug in tlso_session_chkhost?
From: Howard Chu <hyc@symas.com>
Date: Wed, 10 May 2017 18:09:18 +0100
In-reply-to: <WM!2d9692fb06cb4dc9afc32f3ddca47a28e61a62bbc05a485cd06be8dcabef35e00abbc222dad8b615992ce82049bd04c7!@mailstronghold-2.zmailcloud.com>
References: <71671977-6211-348b-c8ac-586d4af0e031@stroeder.com> <2817658C7EA0A04BD6B8FA96@[192.168.1.19]> <60b094bf-a6b5-0dd7-d9c8-1aa25c765ebb@symas.com> <18BEB0EE5AD7F275CA3F4C6C@[192.168.1.19]> <7c8f2d5d-c189-8cb8-6c85-c322ac9d0df4@stroeder.com> <WM!770ed6a5d960360597ba3e402bfccdf09b18b96e6c6eb2bce2af8c9a08adcc603344ea35d82d0a31dddc85006980c642!@mailstronghold-1.zmailcloud.com> <A32F20071B8440F8CBA43B4D@[192.168.1.19]> <WM!42c3ba3dcf596e6dd0bda2effc112f7dab8fe3d1c290c959d1c4d15622a11cb9e27d0712e325e20c3ece9ad2b781f02e!@mailstronghold-3.zmailcloud.com> <81701E14952167B6E8E32381@[192.168.1.19]> <20170510164934.GA20216@comet.nardis.ca> <WM!59e73c82f206e6a9a679ef71a4b55a0c0cdd9783600f904800579e80833cd0902832da6a0b4a6f1cf663ff61342b9c06!@mailstronghold-3.zmailcloud.com> <E35539CD46108102327B79D0@[192.168.1.19]> <WM!2d9692fb06cb4dc9afc32f3ddca47a28e61a62bbc05a485cd06be8dcabef35e00abbc222dad8b615992ce82049bd04c7!@mailstronghold-2.zmailcloud.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Quanah Gibson-Mount wrote:

--On Wednesday, May 10, 2017 10:49 AM -0700 Ryan Tandy <ryan@nardis.ca> wrote:

On Wed, May 10, 2017 at 09:32:59AM -0700, Quanah Gibson-Mount wrote:

RFC 6761 specifically notes that "localhost." is in fact a domain name
(Section 6.3).  Therefore, my certificates are in fact correct, and
the OpenLDAP code check is indeed a bug.


"localhost." is a perfectly valid FQDN (as is the relatively common
"localhost.localdomain."), but from earlier in the thread I gathered your
system's FQDN is actually "u16build." or "u16build.some.domain.".


The FQDN of the system is immaterial.  The point is to have a certificate
without *any* reference to the system hostname, and be entirely based on
localhost.  The RFCs seem to indicate that is perfectly legitimate.  It is the
OpenLDAP code check that breaks this ability.

Wrong. The FQDN of the system is the entire point of this discussion. Certverification is based first and primarily on hostnames.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Ryan Tandy <ryan@nardis.ca>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Bug in tlso_session_chkhost?
Next by Date: Re: Bug in tlso_session_chkhost?
Index(es):
- Chronological
- Thread