[Date Prev][Date Next] [Chronological] [Thread] [Top]

Additional bug in OpenLDAP TLS code

In testing a suggestion from Howard, it appears that OpenLDAP code is broken for IP based certs (where the IP: <addr> is in subject Alternative Name), as it does a hostname lookup prior to validating the cert. This is trivially demonstrable using a cert with:

           X509v3 Subject Alternative Name:
DNS:localhost, IP Address:, IP Address:0:0:0:0:0:0:0:1

Attempting to connect via ldapsearch to ldap:// and initiate startTLS will fail, as the IP gets mapped to "localhost", and then the FQDN check fails. But this would imply any attempt to use the IP: values in subject Alternative Name will be a problem, since "name_in" is translated.



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: