https://bugs.openldap.org/show_bug.cgi?id=8374
--- Comment #13 from Ryan Tandy ryan@openldap.org --- Created attachment 589 --> https://bugs.openldap.org/attachment.cgi?id=589&action=edit test program
I cannot reproduce this. I've written a test program following your pseudocode and run it on Debian jessie (openldap 2.4.40/gnutls 3.3.8), stretch (openldap 2.4.44/gnutls 3.5.8), and buster (openldap 2.4.47/gnutls 3.6.7). In every case, StartTLS is consistently behaving correctly for me, returning "Connect error" with debug logging of "hostname does not match common name in certificate".
I'm attaching my test program. Compile with: gcc -std=c99 -o its8374 its8374.c -lldap
I'm afraid this ticket requires a reliable test program or script in order to be actionable. Thanks.