leva@ecentrum.hu wrote:

Full_Name: LÉVAI Dániel Version: 2.4.11 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (78.131.56.68)

I'm using OpenLDAP 2.4.11 on a Debian testing/lenny system. The GnuTLS version is 2.4.2.

So it seems, according to OpenLDAP, 192.168.1.3 != 192.168.1.3. Why is that?

And please allow me include some additional information, which was told me by Philip Guenther on openldap-software@: "It appears the routine used with GNUtls refuses to match IP addresses against a CN subjects component, thus explaining that weird message.

(In ldap_pvt_tls_check_hostname(), 'len1' is only non-zero if the hostname doesn't look like an IPv6 or IPv4 address, while the subject CN test needs 'len1' to be the same as the length of the CN value.)"

Thanks for the report, now fixed in HEAD.

Note that using an IP address in the CN is not the way you're supposed to generate certs; IP addresses belong in the subjectAltName extension. The CN is only supposed to contain a fully qualified domain name.