https://bugs.openldap.org/show_bug.cgi?id=9267
Issue ID: 9267 Summary: libldap incorrectly accepts IP addresses in cert subject field as valid Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
With a cert that has no subjectAltName, and has an IP address in the subject, ldap client connections are still made instead of rejected. This appears to violate RFC 4513, section 3.1.3:
The server's identity may also be verified by comparing the reference identity to the Common Name (CN) [RFC4519] value in the leaf Relative Distinguished Name (RDN) of the subjectName field of the server's certificate. This comparison is performed using the rules for comparison of DNS names in Section 3.1.3.1, below, with the exception that no wildcard matching is allowed. Although the use of the Common Name value is existing practice, it is deprecated, and Certification Authorities are encouraged to provide subjectAltName values instead. Note that the TLS implementation may represent DNs in certificates according to X.500 or other conventions. For example, some X.500 implementations order the RDNs in a DN using a left-to-right (most significant to least significant) convention instead of LDAP's right-to-left convention.
I do know we have an exception to the above in relation to wildcards in subject, since many CAs only issue certs that way (or at least did so at the time).
However that still revolves around DNS names. The acceptance of IP addresses is a separate matter and seems like it should be treated as a bug.