[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and wildcard SSL certs

On Thu, Apr 14, 2005 at 06:18:18PM -0700, Howard Chu wrote:
> I should note that there was never a 2.1.32 OpenLDAP release, 2.1.30 was 
> the last.

Sorry, I flipped the digits as I typed. It's actually 2.1.23

> And since 2.1 is Historic and no longer supported, there's not 
> much point in pursuing this further until you upgrade to a supported 
> release (like 2.2.24).


> Likewise, OpenSSL 0.9.6b is ancient, and known to have a number of
> security vulnerabilities.

I did say "OpenSSL 0.9.6b (plus security patches)".

> It is not a good idea to use any of this old software.

Probably not.

> As noted in the original message you referenced, RFC2459 does not permit 
> the use of wildcards in the subject DN of a cert. The specification only 
> allows wildcards to be used in the subjectAltName extension. Any 
> organizations and software packages supporting wildcards in the subject 
> DN are broken, and cannot be considered to have a reliable security 
> implementation.

So to clarify: Are you saying it is "pure nonsense" for VeriSign,
GeoTrust, etc. to sell certificates with wildcards in the "subject
DN" (what I'm talking about is the "CN" that you fill in during CSR
generation, but you appear to be using a different term)? Because they do
(we've bought them). And Apache, Sendmail, and other servers will serve
them out. And a whole raft of email, web, and other clients will accept
them. Are you saying that's all being done wrong? Or that I've just been
unlucky that OpenLDAP appears to be the only one I've found that doesn't
allow this?

Honestly, I'm not trolling here; you can tell I'm new to this, and I'm
just saying that the empirical evidence in practice I've seen so far
is overwhelmingly not lining up what what you and the spec. seem to be
saying is the "correct" way to do this. So I'm trying to understand.

> SSL and certificates are not just some Magic Security Solution that can 
> be used arbitrarily without any thought. It is important to understand 
> exactly what these things are for.

I appreciate the clarification of what the subject DN and subjectAltName
are "for" and how they're intended to be used. The sum of the responses
so far seem to be saying that you use a wildcard to specify a bunch of
servers that all provide a service under one name (ldap[1..N].example.com
providing ldap.example.com) -- not to specify a bunch of different
service names all under one cert ({ldap,smtp,www}.example.com as
*.example.com). All that's been helpful; thanks.

But we have been using one CN=*.example.com cert. to save money for
several years now, and it "works" except for OpenLDAP which has always
needed its own. Not sure yet what to conclude.

Brent J. Nordquist <b-nordquist@bethel.edu> N0BJN
Other contact information: http://kepler.its.bethel.edu/~bjn/contact.html