On Fri, Feb 18, 2011 at 12:30:25AM +0000, hyc@symas.com wrote:

Used to work - since when, what release, what else has changed since then?

Unfortunately I cannot tell you exactly when this changed. In any case, the change only affects a different bug which was masking the problem that I now see.

I do know that 2.3.32 as shipped with SLES 10.3 masks the problem by not checking the server certificate properly. So does 2.4.12 as shipped with OpenSuSE 11.1. Both will allow ldapsearch -ZZ to connect to *any* TLS-capable server if they do *not* have access to the CA certificate.

2.4.24 built on OpenSuSE 11.3 (i.e. using OpenSSL 1.0) correctly refuses to connect if there is no CA cert.

All versions that I have tested (certainly back to 2.3.32) incorrectly fail to connect when the URL is ldap://localhost:1389/ and a CA cert is provided.

I'll note that I just tested some localhost certs a few days ago and they were fine, and the cert verification code hasn't changed in quite a long time.

(E.g., ITS#6711 the test setup there uses localhost with no problem.)

Hmm - that seems to be server-to-server. My problem is with the client tools, so maybe a different code-path is used.

I have put a small test case here: ftp://ftp.openldap.org/incoming/afindlay-localhost-tls-test-20110218.tgz

The server cert is valid for 'localhost' and also for '127.0.0.1'

The tests are:

sh 1-plain Plain LDAP connection - no problems Connects to ldap://localhost:1389/

sh 2-tls-no-ca With TLS but client has no access to the CA cert so this should fail with a complaint about 'self-signed certificate'

sh 3-tls-with-ca With TLS and access to the CA cert. Connects to ldap://localhost:1389/ This should succeed but it does not.

sh 4-tls-with-ca-numeric With TLS and access to the CA cert. This one uses ldap://127.0.0.1:1389/ and succeeds.

Andrew