New subject: [Issue 9869] LDAP over TLS not doing hostname verification in version 2.4.59

21 Jun 2022


      https://bugs.openldap.org/show_bug.cgi?id=9869
Issue ID: 9869
           Summary: LDAP over TLS not doing hostname verification in
                    version 2.4.59
           Product: OpenLDAP
           Version: 2.4.59
          Hardware: x86_64
                OS: Linux
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: libraries
          Assignee: bugs@openldap.org
          Reporter: radiatejava@gmail.com
  Target Milestone: ---
My software was using openldap client 2.4.44 to talk to the LDAP server. We
have shifted to 2.4.59 now to address some issues. Ever since we shifted, the
new version is allowing LDAP over TLS without hostname verification.
In the older 2.4.44, I always got this error if hostname did not match the CN
value:
return code -1 - Can't contact LDAP server) diagnostic message TLS: hostname
does not match CN in peer certificate
But after the lib update, no such error even if I am using LDAP server IP to do
LDAP bind while LDAP server certificate has CN set as some FQDN (say
test.ldap.com). Our client side code has not changed while we updated the ldap
lib. For our client, we are only doing these settings:
ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, lCertsDir)
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, lCert)
Has there been any change in this regard? How do I enforce hostname
verification now?
Thanks
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9869] New: LDAP over TLS not doing hostname verification in version 2.4.59