Re: (ITS#7006) openldap does not accept wildcard certificates with mozilla/nss - openldap-bugs

30 Sep 2011

hash_oldap@cycdolphin.net wrote:
...
Full_Name: Philippe Kueck
Version: 2.4.23 / 2.4.26
OS: RHEL 6.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.98.65.86)
When compiled against Mozilla/NSS OpenLDAP does not accept wildcard
certificates.
This is probably because in tls_m.c the certificate CN (*.domain.example) is
matched against the hostname (foo.domain.example), not against the domain
(.domain.example).
I suggest the following patch:
Thanks for the report, fixed in master.
...
--%snip%--
diff -Nru openldap-2.4.26-orig/libraries/libldap/tls_m.c
openldap-2.4.26/libraries/libldap/tls_m.c

--- openldap-2.4.26-orig/libraries/libldap/tls_m.c	2011-06-30 17:13:36.000000000
+0200
+++ openldap-2.4.26/libraries/libldap/tls_m.c	2011-08-01 16:29:42.000000000
+0200
@@ -2590,7 +2590,7 @@
   			if ( av->len == nlen&&  !strncasecmp( name, (char *)av->data, nlen )) {
   				ret = LDAP_SUCCESS;
   			} else if ( av->data[0] == '*'&&  av->data[1] == '.'&&

			domain&&  dlen == av->len - 1&&  !strncasecmp( name,




			domain&&  dlen == av->len - 1&&  !strncasecmp( domain,
			(char *)(av->data+1), dlen )) {
		ret = LDAP_SUCCESS;
	} else {



--%snip%--
Kind regards,
Philippe Kueck
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



    