[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS fails

Kurt D. Zeilenga wrote:
On Wednesday 15 February 2006 15:40, Jon Roberts wrote:
Quanah Gibson-Mount wrote:
You have to use the name in your search that matches the name in the
certificate for TLS to work.

In JLDAP clients I can connect to a remote ldaps server by using the ip address as hostname, even though I obviously did not use the ip as the name in the certificate. Is that advice specific to ldapsearch, StartTLS, or something else I might be confused about?

I'm guessing that JLDAP translates the IP address to the FQDN.

Which is counter to both general and LDAP-specific TLS certificate verification rules. One shouldn't trust DNS. Sounds like a JLDAP bug to me.

I'll have to continue investigating this later, but it appears it's actually the standard Java JSSE SSL socket factory that's doing this lookup. However, in JLDAP's LDAPJSSEStartTLSFactory the socket creation involves an explicit call to getInetAddress().getHostName(). That may be aping what I'll find in the source for javax.net.ssl.SSLSocketFactory.

Either way I'm pretty sure this is not a DNS lookup at all, because I'm using a local network (192.168) address which shouldn't resolve to anything.

If I pick up this tangential branch of the thread, I'll move it to openldap-devel.

Jon Roberts