[Date Prev][Date Next] [Chronological] [Thread] [Top]

Additional bug in OpenLDAP TLS code

To: openldap-devel@openldap.org
Subject: Additional bug in OpenLDAP TLS code
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Wed, 10 May 2017 13:12:01 -0700
Content-disposition: inline

In testing a suggestion from Howard, it appears that OpenLDAP code isbroken for IP based certs (where the IP: <addr> is in subject AlternativeName), as it does a hostname lookup prior to validating the cert. This istrivially demonstrable using a cert with:


           X509v3 Subject Alternative Name:

DNS:localhost, IP Address:127.0.0.1, IPAddress:0:0:0:0:0:0:0:1

Attempting to connect via ldapsearch to ldap://127.0.0.1 and initiatestartTLS will fail, as the IP gets mapped to "localhost", and then the FQDNcheck fails. But this would imply any attempt to use the IP: values insubject Alternative Name will be a problem, since "name_in" is translated.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Additional bug in OpenLDAP TLS code
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Bug in tlso_session_chkhost?
Next by Date: Re: Additional bug in OpenLDAP TLS code
Index(es):
- Chronological
- Thread