[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: start_tls: connect error

Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Show the output with debugging enabled. Note that "localhost" is treated
>>> specially, and will be replaced by the local hostname instead of being used
>>> directly in the name comparison.
>> Why that? I strongly dislike automagic things when doing security checks.
> Probably because "localhost" is useless in an actual cert from a remote
> server.

Yes. But nothing prevents the client from providing the correct hostname.

> This has been a feature of libldap since 2.1, so it's certainly
> nothing new.

You can blame me that I did not notice this feature before. Still I think
that's broken since libldap has to rely on a trustworthy name resolving then
instead of just comparing the inherently trusted user input against the cert's
CN attribute. Hmm, didn't we have this discussion before?

Ciao, Michael.