https://bugs.openldap.org/show_bug.cgi?id=9869
Issue ID: 9869 Summary: LDAP over TLS not doing hostname verification in version 2.4.59 Product: OpenLDAP Version: 2.4.59 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: radiatejava@gmail.com Target Milestone: ---
My software was using openldap client 2.4.44 to talk to the LDAP server. We have shifted to 2.4.59 now to address some issues. Ever since we shifted, the new version is allowing LDAP over TLS without hostname verification.
In the older 2.4.44, I always got this error if hostname did not match the CN value:
return code -1 - Can't contact LDAP server) diagnostic message TLS: hostname does not match CN in peer certificate
But after the lib update, no such error even if I am using LDAP server IP to do LDAP bind while LDAP server certificate has CN set as some FQDN (say test.ldap.com). Our client side code has not changed while we updated the ldap lib. For our client, we are only doing these settings:
ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, lCertsDir) ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, lCert)
Has there been any change in this regard? How do I enforce hostname verification now?
Thanks