Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate - openldap-bugs

10 May 2019


      darshankmistry@yahoo.com wrote:
...
------=_Part_545863_1662769086.1557520342175
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
thank you very much for quick response and openldap behavior configuration.=
=C2=A0
how we can ignore to look server name in subject of certificate so I can us=
e LDAP server ip address instead of host name?=C2=A0
Also want to know if there is any open CVE which says it is vulnerabilities=
 to use LDAP server ip address instead of name in ldap configuration.=C2=A0
Add the IP address in a subjectALternativeName extension to your server certificate.
The behavior here is specified in RFC4513.
...
Thank you,
Darshankumar Mistry
darshankmistry@yahoo.com
=20
On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <quanah@s=

ymas.com> wrote: =20
=20
 --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry@yahoo.com wrote:
...
Full_Name: Darshankumar Mistry
Version:
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)
I would like to know why Open LDAP behavior was changed where we must
have to configure FQDN name mentioned in certificate in order to work LDA=
P
...
authentication... else TLS start failing.
OpenLDAP has worked this way since I first started using it in 2002.=C2=A0 =
This=20
behavior is nothing new.=C2=A0 And this is the correct behavior.
This ITS will be closed.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
http://www.symas.com
=20
------=_Part_545863_1662769086.1557520342175
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<html><head></head><body><div class=3D"ydpf9876065yahoo-style-wrap" style=
=3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t=
hank you very much for quick response and openldap behavior configuration.&=
nbsp;</div><div><br></div><div>how we can ignore to look server name in sub=
ject of certificate so I can use LDAP server ip address instead of host nam=
e?&nbsp;</div><div><br></div><div>Also want to know if there is any open CV=
E which says it is vulnerabilities to use LDAP server ip address instead of=
 name in ldap configuration.&nbsp;</div><div><br></div><div><br></div><div>=
<br></div><div class=3D"ydpf9876065signature"><div><span class=3D"ydpf98760=
65yui_3_7_2_102_1375813203128_121" style=3D"font-family:arial, sans-serif;c=
olor:rgb(80, 0, 80);">Thank you,</span><br class=3D"ydpf9876065yui_3_7_2_10=
2_1375813203128_122" style=3D"font-family:arial, sans-serif;color:rgb(80, 0=
, 80);"><span class=3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D=
"font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry</=
span><br class=3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D"font=
-family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D"mailto:darshank=
mistry@yahoo.com" class=3D"ydpf9876065yui_3_7_2_102_1375813203128_125" styl=
e=3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D"nofollow=
" target=3D"_blank">darshankmistry@yahoo.com</a><br></div></div></div>
        <div><br></div><div><br></div>
       =20
        </div><div id=3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D"ydpb3=
d55fc2yahoo_quoted">
            <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s=
ans-serif;font-size:13px;color:#26282a;">
               =20
                <div>
                    On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson=
-Mount &lt;quanah@symas.com&gt; wrote:
                </div>
                <div><br></div>
                <div><br></div>
                <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href=3D"mai=
lto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmi=
stry@yahoo.com</a> wrote:<br><br>&gt; Full_Name: Darshankumar Mistry<br>&gt=
; Version:<br>&gt; OS:<br>&gt; URL: <a href=3D"ftp://ftp.openldap.org/incom=
ing/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</=
a><br>&gt; Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b=
r>&gt;<br>&gt;<br>&gt; I would like to know why Open LDAP behavior was chan=
ged where we must<br>&gt; have to configure FQDN name mentioned in certific=
ate in order to work LDAP<br>&gt; authentication... else TLS start failing.=
<br><br>OpenLDAP has worked this way since I first started using it in 2002=
.&nbsp; This <br>behavior is nothing new.&nbsp; And this is the correct beh=
avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><br=
> Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Packaged,=
 certified, and supported LDAP solutions powered by OpenLDAP:<br>&lt;<a hre=
f=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.sy=
mas.com</a>&gt;<br><br></div>
            </div>
        </div></body></html>
------=_Part_545863_1662769086.1557520342175--
-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/