From hyc@symas.com Fri May 10 20:53:25 2019 From: hyc@symas.com To: openldap-bugs@openldap.org Subject: Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate Date: Fri, 10 May 2019 20:53:24 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4553445129615319116==" --===============4553445129615319116== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable darshankmistry(a)yahoo.com wrote: > ------=3D_Part_545863_1662769086.1557520342175 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=20 > thank you very much for quick response and openldap behavior configuration.= =3D > =3DC2=3DA0 > how we can ignore to look server name in subject of certificate so I can us= =3D > e LDAP server ip address instead of host name?=3DC2=3DA0 > Also want to know if there is any open CVE which says it is vulnerabilities= =3D > to use LDAP server ip address instead of name in ldap configuration.=3DC2= =3DA0 Add the IP address in a subjectALternativeName extension to your server certi= ficate. The behavior here is specified in RFC4513. >=20 >=20 > Thank you, > Darshankumar Mistry > darshankmistry(a)yahoo.com > =3D20 >=20 > On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Mount ymas.com> wrote: =3D20 > =3D20 > --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wrote: >=20 >> Full_Name: Darshankumar Mistry >> Version: >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) >> >> >> I would like to know why Open LDAP behavior was changed where we must >> have to configure FQDN name mentioned in certificate in order to work LDA= =3D > P >> authentication... else TLS start failing. >=20 > OpenLDAP has worked this way since I first started using it in 2002.=3DC2= =3DA0 =3D > This=3D20 > behavior is nothing new.=3DC2=3DA0 And this is the correct behavior. >=20 > This ITS will be closed. >=20 > --Quanah >=20 >=20 > -- >=20 > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > >=20 > =3D20 > ------=3D_Part_545863_1662769086.1557520342175 > Content-Type: text/html; charset=3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=20 >
=3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;">
t=3D > hank you very much for quick response and openldap behavior configuration.&= =3D > nbsp;

how we can ignore to look server name in sub= =3D > ject of certificate so I can use LDAP server ip address instead of host nam= =3D > e? 

Also want to know if there is any open CV= =3D > E which says it is vulnerabilities to use LDAP server ip address instead of= =3D > name in ldap configuration. 


= =3D >
65yui_3_7_2_102_1375813203128_121" style=3D3D"font-family:arial, sans-serif= ;c=3D > olor:rgb(80, 0, 80);">Thank you,
2_1375813203128_122" style=3D3D"font-family:arial, sans-serif;color:rgb(80,= 0=3D > , 80);"> "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry span>
-family:arial, sans-serif;color:rgb(80, 0, 80);"> mistry(a)yahoo.com" class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_125" = styl=3D > e=3D3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D3D"nofo= llow=3D > " target=3D3D"_blank">darshankmistry(a)yahoo.com
>


> =3D20 > > ------=3D_Part_545863_1662769086.1557520342175-- >=20 >=20 >=20 >=20 --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ --===============4553445129615319116==--