[Issue 9267] New: libldap incorrectly accepts IP addresses in cert subject field as valid
https://bugs.openldap.org/show_bug.cgi?id=9267
Issue ID: 9267 Summary: libldap incorrectly accepts IP addresses in cert subject field as valid Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
With a cert that has no subjectAltName, and has an IP address in the subject, ldap client connections are still made instead of rejected. This appears to violate RFC 4513, section 3.1.3:
The server's identity may also be verified by comparing the reference identity to the Common Name (CN) [RFC4519] value in the leaf Relative Distinguished Name (RDN) of the subjectName field of the server's certificate. This comparison is performed using the rules for comparison of DNS names in Section 3.1.3.1, below, with the exception that no wildcard matching is allowed. Although the use of the Common Name value is existing practice, it is deprecated, and Certification Authorities are encouraged to provide subjectAltName values instead. Note that the TLS implementation may represent DNs in certificates according to X.500 or other conventions. For example, some X.500 implementations order the RDNs in a DN using a left-to-right (most significant to least significant) convention instead of LDAP's right-to-left convention.
I do know we have an exception to the above in relation to wildcards in subject, since many CAs only issue certs that way (or at least did so at the time).
However that still revolves around DNS names. The acceptance of IP addresses is a separate matter and seems like it should be treated as a bug.
https://bugs.openldap.org/show_bug.cgi?id=9267
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.0 Ever confirmed|0 |1 Status|UNCONFIRMED |CONFIRMED Keywords| |OL_2_5_REQ
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- Actually, the case is a bit different.
It only works if you use the IP address for the client, i.e:
ldapsearch .. -ZZ -H ldap://127.0.0.1/
if you use the hostname, it fails correctly.
However, I think there's still a bug here in the former.
https://bugs.openldap.org/show_bug.cgi?id=9267
--- Comment #2 from Howard Chu hyc@openldap.org --- (In reply to Quanah Gibson-Mount from comment #1)
Actually, the case is a bit different.
It only works if you use the IP address for the client, i.e:
ldapsearch .. -ZZ -H ldap://127.0.0.1/
if you use the hostname, it fails correctly.
However, I think there's still a bug here in the former.
Not a bug. Works as designed. Closing this.
https://bugs.openldap.org/show_bug.cgi?id=9267
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |INVALID
https://bugs.openldap.org/show_bug.cgi?id=9267
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Status|RESOLVED |VERIFIED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- From RFC4513, the subject field may only be parsed for DNS names.
However, it states that that parsing must follow the rules from section section 3.1.3.1. Section 3.1.3.1 states that RFC3490 section 3 is to be used for doing the comparisons, which is a straight ASCII match. This allows an IP address in the subject field to match an IP address in a URI. So this specific case is allowed via RFC.
-
openldap-its@openldap.org