[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Verifying 'CN' in client certificates using TLS

To: Norbert Klasen <norbert.klasen@daasi.de>
Subject: Re: Verifying 'CN' in client certificates using TLS
From: Steve Powers <sgp@pani.cx>
Date: Wed, 6 Feb 2002 11:42:20 +0000
Cc: Openldap-Liste <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <57814002.1012991388@localhost>; from norbert.klasen@daasi.de on Wed, Feb 06, 2002 at 10:29:48AM +0100
References: <20020205162007.D16394@contraption.co.uk> <57814002.1012991388@localhost>
User-agent: Mutt/1.2.5.1i

On Wed, Feb 06, 2002 at 10:29:48AM +0100, Norbert Klasen wrote:

> > However, the 'CN' value of my client certificate are completely ignored,
> > as I can install the same certificates across several clients (machines in
> > this case) and they will work. I'm therefore deducting that provided the
> > client certs have been signed by my trusted CA (my own in this case) the
> > 'CN' value is unimportant?
> >
> > Is there a way to enforce 'CN' checking against a directory entry which
> > details DNS hostname, or even better IP address, in OpenLDAP?
> 
> Which version of OpenLDAP are you using? Recent version do perform the 
> Server Identity Check according to RFC2830.

I should have listed software versions, sorry:

OpenLDAP 2.0.21
nss_ldap-181
pam_ldap-136

I think Howard, in his follow up, has pointed out the factor here. 'Clients'
are usually 'people' not 'hosts', therefore DNS and IP are irrelevant....

Steve

References:
- Verifying 'CN' in client certificates using TLS
  - From: Steve Powers <sgp@pani.cx>
- Re: Verifying 'CN' in client certificates using TLS
  - From: Norbert Klasen <norbert.klasen@daasi.de>

Prev by Date: RE: Verifying 'CN' in client certificates using TLS
Next by Date: Re: OpenSSL 0.9.6c and OpenLDAP 2.0.22
Index(es):
- Chronological
- Thread