[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do tool verify certs with ldapi:// ?

On Mon, 28 May 2012, Peter Marschall wrote:
> On Monday, 28. May 2012, Philip Guenther wrote:
> > If that's not a sufficient option, and verifying certs is required, 
> > then it appears the code will treat the socket path as the hostname to 
> > verify for.  For OpenSSL, for example, that means it'll compare it 
> > against any DNS: subjectAltNames as well as against the last CN 
> > component of the cert subject.
> That's not what the openldap tools do.

I'm glad I said "it appears", as appearances can be (and were) deceiving.  

Checking with a debugger, I see that my description was correct for the 
case where a path was specified in the URI, ala

If no path is specified (e.g., "ldapi://") then the checking code is 
passed a hostname of "localhost".

Philip Guenther