https://bugs.openldap.org/show_bug.cgi?id=9869
Issue ID: 9869
Summary: LDAP over TLS not doing hostname verification in
version 2.4.59
Product: OpenLDAP
Version: 2.4.59
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: radiatejava(a)gmail.com
Target Milestone: ---
My software was using openldap client 2.4.44 to talk to the LDAP server. We
have shifted to 2.4.59 now to address some issues. Ever since we shifted, the
new version is allowing LDAP over TLS without hostname verification.
In the older 2.4.44, I always got this error if hostname did not match the CN
value:
return code -1 - Can't contact LDAP server) diagnostic message TLS: hostname
does not match CN in peer certificate
But after the lib update, no such error even if I am using LDAP server IP to do
LDAP bind while LDAP server certificate has CN set as some FQDN (say
test.ldap.com). Our client side code has not changed while we updated the ldap
lib. For our client, we are only doing these settings:
ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, lCertsDir)
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, lCert)
Has there been any change in this regard? How do I enforce hostname
verification now?
Thanks
--
You are receiving this mail because:
You are on the CC list for the issue.