[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Bug in tlso_session_chkhost?
--On Wednesday, May 10, 2017 7:02 PM +0100 Howard Chu <hyc@symas.com> wrote:
The point is there is nothing on your machine that says your hostname is
"localhost". Therefore, since the subjectAltName of DNS:localhost doesn't
match any known name for your host, the cert is rejected.
Sure there is, /etc/hosts. And as I noted, per RFC 6761, "localhost." is a
recognized domain. The OpenLDAP code is incorrect.
A better solution would be for the localhost case to check if (a) the cert
has a match, and if it fails, then fall back to see if it matches
ldap_int_hostname.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>