openldap-devel May 2017

openldap-devel@openldap.org

6 participants
23 discussions

by Howard Chu

Quanah Gibson-Mount wrote: > For the test suite, I've generated a server cert with: > > Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite, CN=localhost > > and > > X509v3 Subject Alternative Name: > DNS:localhost > > slapd is listening as: > > /home/build/git/symas-packages/thirdparty/openldap/build/UBUNTU16_64/symas-openldap/servers/slapd/.libs/lt-slapd > -s0 -f > /home/build/git/symas-packages/thirdparty/openldap/build/UBUNTU16_64/symas-openldap/tests/testrun/slapd.1.conf > -h ldap://localhost:9011/ ldaps://localhost:9012/ -d 0x4105 > > > I.e., slapd is referring to itself as "localhost", and the cert fully refers > to itself as "localhost". > > However, if I do a startTLS op to this host with reqcert set to "demand", it > fails with: > > TLS: hostname (u16build) does not match common name in certificate (localhost). > > Given that everything is using "localhost", it seems to me it should succeed > rather than fail, and that this error is incorrect. > > The issue seems to be this if statement in tls_o.c: > > if( ldap_int_hostname && > ( !name_in || !strcasecmp( name_in, "localhost" ) ) ) > { > > > if I remove the check against the "localhost" name, things succeed as expected. > > Is there something valid we are trying to protect against here? "localhost" isn't a real hostname. If your host has a real hostname, it gets used. That code has existed since 2001: commit 943800a53433989fdf6e65ac8971459c48301399 > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

5 years, 10 months

1
0
0 / 0

Bug in tlso_session_chkhost?

by Quanah Gibson-Mount

For the test suite, I've generated a server cert with: Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite, CN=localhost and X509v3 Subject Alternative Name: DNS:localhost slapd is listening as: /home/build/git/symas-packages/thirdparty/openldap/build/UBUNTU16_64/symas-openldap/servers/slapd/.libs/lt-slapd -s0 -f /home/build/git/symas-packages/thirdparty/openldap/build/UBUNTU16_64/symas-openldap/tests/testrun/slapd.1.conf -h ldap://localhost:9011/ ldaps://localhost:9012/ -d 0x4105 I.e., slapd is referring to itself as "localhost", and the cert fully refers to itself as "localhost". However, if I do a startTLS op to this host with reqcert set to "demand", it fails with: TLS: hostname (u16build) does not match common name in certificate (localhost). Given that everything is using "localhost", it seems to me it should succeed rather than fail, and that this error is incorrect. The issue seems to be this if statement in tls_o.c: if( ldap_int_hostname && ( !name_in || !strcasecmp( name_in, "localhost" ) ) ) { if I remove the check against the "localhost" name, things succeed as expected. Is there something valid we are trying to protect against here? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

5 years, 10 months

1
0
0 / 0

Fwd: Discussion on Hacker News about CMU discontinuing Cyrus

by Howard Chu

I wonder if we should look into adopting a different SASL library. FastMail may create a new home for Cyrus IMAP, but they don't seem to spend much attention on SASL.

5 years, 10 months

1
0
0 / 0

← Newer
1
2
3
Older →

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel May 2017