https://bugs.openldap.org/show_bug.cgi?id=9543
Issue ID: 9543 Summary: Patch : Customize CN check on TLS Product: OpenLDAP Version: unspecified Hardware: i386 OS: Other Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: julien.wadel@belledonne-communications.com Target Milestone: ---
Created attachment 821 --> https://bugs.openldap.org/attachment.cgi?id=821&action=edit Patch on master
Hi, I added a feature that allow to customize the domain name on TLS hostname verification. With it, we can use an IP that comes from our DNS resolver.
It is mainly used when we want launch test units with a private server where the IP and domains are private. In our case, we use our own dns resolver (internal code) which give us an IP that is passed to LDAP. As we know the domain name but not LDAP, we pass it to it for checking (it's not an ignore option)
Here is the commit from our repository (based from 2.4): https://gitlab.linphone.org/BC/public/external/openldap/-/commit/a4fef2181ce...
Here is the branch from the HEAD of your current master (one commit, parent 60b7dc731ce9f2424a4a56d78ae99270a3c6239c) https://gitlab.linphone.org/BC/public/external/openldap/-/tree/feature/hostn...
Here is the branch from the HEAD of OPENLDAP_REL_ENG_2_4 (one commit, parent faf2c4e78641f69df3fdea5f97ddb058946f2051) https://gitlab.linphone.org/BC/public/external/openldap/-/tree/feature/hostn...
I attached the diff on master
Regards
https://bugs.openldap.org/show_bug.cgi?id=9543
--- Comment #1 from Julien Wadel julien.wadel@belledonne-communications.com --- Created attachment 822 --> https://bugs.openldap.org/attachment.cgi?id=822&action=edit Patch on 2.4
https://bugs.openldap.org/show_bug.cgi?id=9543
Julien Wadel julien.wadel@belledonne-communications.com changed:
What |Removed |Added ---------------------------------------------------------------------------- OS|Other |All Hardware|i386 |All
https://bugs.openldap.org/show_bug.cgi?id=9543
--- Comment #2 from Howard Chu hyc@openldap.org --- On private test servers you should just generate server certs with the IP address in the cert subjectAltName.
I see no need for a patch like this, nor any good reason to break the RFC-compliant cert name checking.
https://bugs.openldap.org/show_bug.cgi?id=9543
--- Comment #3 from Julien Wadel julien.wadel@belledonne-communications.com --- The IP is dynamic so this is not a solution. And I don't think that using IP in certificates is something to do. I wrote about the private test server in order to illustrate a way to use. This is the same when using proxies etc. The point is that we cannot explicitly set dns servers in LDAP without changing the environment(I guess). I let you think about all cases where it is needed.
But what is breaking the RFC? The check is still done. LDAP is still checking the IP that it is communicating with the name that it should be own. This is just a easiest way to do where we cannot set a dns server in LDAP (But I maybe wrong on this point)
-
openldap-its@openldap.org