From darshankmistry@yahoo.com Fri May 10 21:29:00 2019 From: darshankmistry@yahoo.com To: openldap-bugs@openldap.org Subject: Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate Date: Fri, 10 May 2019 21:28:58 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4389897630957589386==" --===============4389897630957589386== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ------=3D_Part_582781_95096894.1557523728570 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: quoted-printable thank you, this case can be closed. appreciate all your help and clarificat=3D ion. thanks agian Thank you, Darshankumar Mistry darshankmistry(a)yahoo.com =3D20 On Friday, May 10, 2019, 1:53:16 PM PDT, Howard Chu wro= =3D te: =3D20 =3D20 darshankmistry(a)yahoo.com wrote: > ------=3D3D_Part_545863_1662769086.1557520342175 > Content-Type: text/plain; charset=3D3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=3D20 > thank you very much for quick response and openldap behavior configuratio=3D n.=3D3D > =3D3DC2=3D3DA0 > how we can ignore to look server name in subject of certificate so I can =3D us=3D3D > e LDAP server ip address instead of host name?=3D3DC2=3D3DA0 > Also want to know if there is any open CVE which says it is vulnerabiliti=3D es=3D3D >=3DC2=3DA0 to use LDAP server ip address instead of name in ldap configurati= on=3D .=3D3DC2=3D3DA0 Add the IP address in a subjectALternativeName extension to your server cer=3D tificate. The behavior here is specified in RFC4513. >=3D20 >=3D20 > Thank you, > Darshankumar Mistry > darshankmistry(a)yahoo.com > =3D3D20 >=3D20 >=3DC2=3DA0 =3DC2=3DA0 On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibso= n-Moun=3D t ymas.com> wrote: =3D3D20 > =3D3D20 >=3DC2=3DA0 --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.co= m wr=3D ote: >=3D20 >> Full_Name: Darshankumar Mistry >> Version: >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) >> >> >> I would like to know why Open LDAP behavior was changed where we must >> have to configure FQDN name mentioned in certificate in order to work LD=3D A=3D3D > P >> authentication... else TLS start failing. >=3D20 > OpenLDAP has worked this way since I first started using it in 2002.=3D3DC2= =3D =3D3DA0 =3D3D > This=3D3D20 > behavior is nothing new.=3D3DC2=3D3DA0 And this is the correct behavior. >=3D20 > This ITS will be closed. >=3D20 > --Quanah >=3D20 >=3D20 > -- >=3D20 > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > >=3D20 >=3DC2=3DA0 =3D3D20 > ------=3D3D_Part_545863_1662769086.1557520342175 > Content-Type: text/html; charset=3D3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=3D20 >
=3D3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;">
t=3D3D > hank you very much for quick response and openldap behavior configuration=3D .&=3D3D > nbsp;

how we can ignore to look server name in s=3D ub=3D3D > ject of certificate so I can use LDAP server ip address instead of host n=3D am=3D3D > e? 

Also want to know if there is any open =3D CV=3D3D > E which says it is vulnerabilities to use LDAP server ip address instead =3D of=3D3D >=3DC2=3DA0 name in ldap configuration. 


=3D3D >
65yui_3_7_2_102_1375813203128_121" style=3D3D3D"font-family:arial, sans-ser= =3D if;c=3D3D > olor:rgb(80, 0, 80);">Thank you,
2_1375813203128_122" style=3D3D3D"font-family:arial, sans-serif;color:rgb(8= =3D 0, 0=3D3D > , 80);"> "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry=3D span>
-family:arial, sans-serif;color:rgb(80, 0, 80);"> mistry(a)yahoo.com" class=3D3D3D"ydpf9876065yui_3_7_2_102_1375813203128_125= " =3D styl=3D3D > e=3D3D3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D3D3D"= no=3D follow=3D3D > " target=3D3D3D"_blank">darshankmistry(a)yahoo.com
>=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0


>=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3D3D20 >=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0
d55fc2yahoo_quoted"> >=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0
ans-serif;font-size:13px;color:#26282a;"> >=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0= =3DC2=3DA0 =3D3D20 >=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0= =3DC2=3DA0
>=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0= =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 On F=3D riday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson=3D3D > -Mount <quanah(a)symas.com> wrote: >=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0= =3DC2=3DA0
>=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0= =3DC2=3DA0

>=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0= =3DC2=3DA0

>=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0= =3DC2=3DA0
--On Friday, =3D May 10, 2019 8:52 PM +0000 lto:darshankmistry(a)yahoo.com" rel=3D3D3D"nofollow" target=3D3D3D"_blank">= dars=3D hankmi=3D3D > stry(a)yahoo.com wrote:

> Full_Name: Darshankumar Mistry
&= =3D gt=3D3D > ; Version:
> OS:
> URL: ing/" rel=3D3D3D"nofollow" target=3D3D3D"_blank">ftp://ftp.openldap.org/inc= om=3D ing/ a>
> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)=3D r>>
>
> I would like to know why Open LDAP behavior was ch=3D an=3D3D > ged where we must
> have to configure FQDN name mentioned in certif=3D ic=3D3D > ate in order to work LDAP
> authentication... else TLS start failin=3D g.=3D3D >

OpenLDAP has worked this way since I first started using it in 20=3D 02=3D3D > .  This
behavior is nothing new.  And this is the correct b=3D eh=3D3D > avior.

This ITS will be closed.

--Quanah


--
<=3D br=3D3D >> Quanah Gibson-Mount
Product Architect
Symas Corporation
Package=3D d,=3D3D >=3DC2=3DA0 certified, and supported LDAP solutions powered by OpenLDAP:
&= lt=3D ; f=3D3D3D"http://www.symas.com" rel=3D3D3D"nofollow" target=3D3D3D"_blank">h= ttp:=3D //www.sy=3D3D > mas.com>

>=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0
>=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0
> ------=3D3D_Part_545863_1662769086.1557520342175-- >=3D20 >=3D20 >=3D20 >=3D20 --=3D20 =3DC2=3DA0 -- Howard Chu =3DC2=3DA0 CTO, Symas Corp.=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2= =3DA0 http://www.symas.=3D com =3DC2=3DA0 Director, Highland Sun=3DC2=3DA0 =3DC2=3DA0 http://highlandsun.com= /hyc/ =3DC2=3DA0 Chief Architect, OpenLDAP=3DC2=3DA0 http://www.openldap.org/projec= t/ =3D20 ------=3D_Part_582781_95096894.1557523728570 Content-Type: text/html; charset=3DUTF-8 Content-Transfer-Encoding: quoted-printable
t= =3D hank you, this case can be closed. appreciate all your help and clarificati=3D on. thanks agian

Thank you,
Darshankumar Mistry
darshankmistry(a)yahoo.com= =3D


=3D20
=3D20
On Friday, May 10, 2019, 1:53:16 PM PDT, Howard Chu <=3D ;hyc(a)symas.com> wrote:


> ------=3D3D_Part_545863_1662769086.155752= 03=3D 42175
> Content-Type: text/plain; charset=3D3D= UT=3D F-8
> Content-Transfer-Encoding: quoted-printa= =3D ble
>
> thank = yo=3D u very much for quick response and openldap behavior configuration.=3D3D
<= =3D /div>
> =3D3DC2=3D3DA0
> = how we=3D can ignore to look server name in subject of certificate so I can us=3D3D
> e LDAP server ip address instead of host name?= =3D =3D3DC2=3D3DA0
> Also want to know if there is= any=3D open CVE which says it is vulnerabilities=3D3D
&= gt=3D ;  to use LDAP server ip address instead of name in ldap configuration=3D .=3D3DC2=3D3DA0

Add = the IP=3D address in a subjectALternativeName extension to your server certificate.<=3D br>

The behavior here is= s=3D pecified in RFC4513.
>
>
> Thank you,
> Darshankumar Mistry
> =3D3D20
>
>    On Friday, May 10, = =3D 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <quanah(a)s=3D3D
> ymas.com> wrote: =3D3D20
> =3D3D20
>  --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wrote:
>
<= /d=3D iv>
>> Full_Name: Darshankumar Mistry
>> Version:
>
>  =3D3D20
> ------=3D3= D_Part=3D _545863_1662769086.1557520342175
> Content-Typ= =3D e: text/html; charset=3D3DUTF-8
> Content-Tran= sf=3D er-Encoding: quoted-printable
>
> <html><head></head><body><div = =3D class=3D3D3D"ydpf9876065yahoo-style-wrap" style=3D3D
=3D > =3D3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;">&= =3D lt;div><div>t=3D3D
> hank you very mu= ch=3D for quick response and openldap behavior configuration.&=3D3D
<= =3D div dir=3D3D"ltr">> nbsp;</div><div><br></div><= =3D div>how we can ignore to look server name in sub=3D3D
> ject of certificate so I can use LDAP server ip address instead =3D of host nam=3D3D
> e?&nbsp;</div><= ;d=3D iv><br></div><div>Also want to know if there is any op=3D en CV=3D3D
> E which says it is vulnerabilitie= s =3D to use LDAP server ip address instead of=3D3D
>= ;&=3D nbsp; name in ldap configuration.&nbsp;</div><div><br>=3D ;</div><div><br></div><div>=3D3D
> <br></div><div class=3D3D3D"ydpf9876065sign= at=3D ure"><div><span class=3D3D3D"ydpf98760=3D3D
> 65yui_3_7_2_102_1375813203128_121" style=3D3D3D"font-family:arial, sa= =3D ns-serif;c=3D3D
> olor:rgb(80, 0, 80);">Tha= nk=3D you,</span><br class=3D3D3D"ydpf9876065yui_3_7_2_10=3D3D
<= di=3D v dir=3D3D"ltr">> 2_1375813203128_122" style=3D3D3D"font-family:arial, san= s-=3D serif;color:rgb(80, 0=3D3D
> , 80);"><sp= an=3D class=3D3D3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D3D3D=3D3D
> "font-family:arial, sans-serif;color:rgb(80, 0, 8= =3D 0);">Darshankumar Mistry</=3D3D
> span&g= t;=3D <br class=3D3D3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D3D3D"= fo=3D nt=3D3D
> -family:arial, sans-serif;color:rgb(= 80=3D , 0, 80);"><a href=3D3D3D"mailto:darshank=3D3D
=3D > mistry(a)yahoo.com" class=3D3D3D"ydpf9876065yui_3_7_2_102_1375813203128_= 12=3D 5" styl=3D3D
> e=3D3D3D"color:rgb(17, 85, 204)= ;fon=3D t-family:arial, sans-serif;" rel=3D3D3D"nofollow=3D3D
> " target=3D3D3D"_blank">darshankmistry(a)yahoo.com</a&g= t;&l=3D t;br></div></div></div>
>= =3D         <div><br></div><div>&l=3D t;br></div>
>      &nb= =3D sp; =3D3D20
>        <= /d=3D iv><div id=3D3D3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D3D3D"ydpb= 3=3D =3D3D
> d55fc2yahoo_quoted">
>            <div style=3D3D= 3D=3D "font-family:'Helvetica Neue', Helvetica, Arial, s=3D3D
> ans-serif;font-size:13px;color:#26282a;">
>                =3D3D20
= =3D
>             = =3D   <div>
>      &nb= =3D sp;             On Friday, May 10, 2019, 12:=3D 58:38 PM PDT, Quanah Gibson=3D3D
> -Mount &= ;l=3D t;qu=3D anah(a)symas.com&gt; wrote:
>  &n= bs=3D p;             </div>
>                <= =3D div><br></div>
>    &= =3D nbsp;           <div><br></div>=3D
>            &n= =3D bsp;   <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href=3D =3D3D3D"mai=3D3D
> lto:darshankmistry(a)ya= hoo.co=3D m" rel=3D3D3D"nofollow" target=3D3D3D"_blank">darshankmi=3D3D
> stry(a)yahoo.com</a> wrote:<br><br>&= gt=3D ; Full_Name: Darshankumar Mistry<br>&gt=3D3D
> ; Version:<br>&gt; OS:<br>&gt; URL: <a href=3D =3D3D3D"ftp://ftp.openldap.org/incom=3D3D
&=3D gt; ing/" rel=3D3D3D"nofollow" target=3D3D3D"_blank">ftp://ftp.openld= ap=3D .org/incoming/</=3D3D
> a><br>= &a=3D mp;gt; Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b=3D =3D3D
> r>&gt;<br>&gt;<br&= gt=3D ;&gt; I would like to know why Open LDAP behavior was chan=3D3D
= =3D
> ged where we must<br>&gt; have to configure= =3D FQDN name mentioned in certific=3D3D
> ate in= o=3D rder to work LDAP<br>&gt; authentication... else TLS start failin=3D g.=3D3D
> <br><br>OpenLDAP has wor= ke=3D d this way since I first started using it in 2002=3D3D
> .&nbsp; This <br>behavior is nothing new.&nbsp; And =3D this is the correct beh=3D3D
> avior.<br>= ;&=3D lt;br>This ITS will be closed.<br><br>--Quanah<br><=3D br><br>--<br><br=3D3D
>> = Qu=3D anah Gibson-Mount<br>Product Architect<br>Symas Corporation<=3D br>Packaged,=3D3D
>  certified, and su= pp=3D orted LDAP solutions powered by OpenLDAP:<br>&lt;<a hre=3D3D
= =3D
> f=3D3D3D"http://www.symas.com" rel=3D3D3D"nofollow" = ta=3D rget=3D3D3D"_blank">http://www.sy=3D3D
> mas.com= <=3D /a>&gt;<br><br></div>
&g= =3D t;            </div>
>        </div></body></htm= =3D l>
> ------=3D3D_Part_545863_1662769086.155= 75=3D 20342175--
>
>= <=3D br>
>
>
=

--=
  -- Howard Chu
&n= bs=3D p; CTO, Symas Corp.          http://www.symas.com<= br=3D >
  Director, Highland Sun    htt= p://=3D highlandsun.com/hyc/
  Chief Architect, = =3D OpenLDAP  http://www.openldap.org/project/
------=3D_Part_582781_95096894.1557523728570-- --===============4389897630957589386==--