[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in tlso_session_chkhost?

To: Ryan Tandy <ryan@nardis.ca>, openldap-devel@openldap.org
Subject: Re: Bug in tlso_session_chkhost?
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Wed, 10 May 2017 09:53:59 -0700
Content-disposition: inline
In-reply-to: <WM!59e73c82f206e6a9a679ef71a4b55a0c0cdd9783600f904800579e80833cd0902832da6a0b4a6f1cf663ff61342b9c06!@mailstronghold-3.zmailcloud.com>
References: <71671977-6211-348b-c8ac-586d4af0e031@stroeder.com> <WM!f23f84644cc0e2f103ba5c9aba1bd61059b687261a1c4293c1677863d7668e3bac63d2fb954d030905651563e1e4d1db!@mailstronghold-2.zmailcloud.com> <2817658C7EA0A04BD6B8FA96@[192.168.1.19]> <60b094bf-a6b5-0dd7-d9c8-1aa25c765ebb@symas.com> <18BEB0EE5AD7F275CA3F4C6C@[192.168.1.19]> <7c8f2d5d-c189-8cb8-6c85-c322ac9d0df4@stroeder.com> <WM!770ed6a5d960360597ba3e402bfccdf09b18b96e6c6eb2bce2af8c9a08adcc603344ea35d82d0a31dddc85006980c642!@mailstronghold-1.zmailcloud.com> <A32F20071B8440F8CBA43B4D@[192.168.1.19]> <WM!42c3ba3dcf596e6dd0bda2effc112f7dab8fe3d1c290c959d1c4d15622a11cb9e27d0712e325e20c3ece9ad2b781f02e!@mailstronghold-3.zmailcloud.com> <81701E14952167B6E8E32381@[192.168.1.19]> <20170510164934.GA20216@comet.nardis.ca> <WM!59e73c82f206e6a9a679ef71a4b55a0c0cdd9783600f904800579e80833cd0902832da6a0b4a6f1cf663ff61342b9c06!@mailstronghold-3.zmailcloud.com>

--On Wednesday, May 10, 2017 10:49 AM -0700 Ryan Tandy <ryan@nardis.ca>wrote:

On Wed, May 10, 2017 at 09:32:59AM -0700, Quanah Gibson-Mount wrote:

RFC 6761 specifically notes that "localhost." is in fact a domain name
(Section 6.3).  Therefore, my certificates are in fact correct, and
the OpenLDAP code check is indeed a bug.


"localhost." is a perfectly valid FQDN (as is the relatively common
"localhost.localdomain."), but from earlier in the thread I gathered your
system's FQDN is actually "u16build." or "u16build.some.domain.".

The FQDN of the system is immaterial. The point is to have a certificatewithout *any* reference to the system hostname, and be entirely based onlocalhost. The RFCs seem to indicate that is perfectly legitimate. It isthe OpenLDAP code check that breaks this ability.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Howard Chu <hyc@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Bug in tlso_session_chkhost?
  - From: Ryan Tandy <ryan@nardis.ca>

Prev by Date: Re: Bug in tlso_session_chkhost?
Next by Date: Re: Bug in tlso_session_chkhost?
Index(es):
- Chronological
- Thread