10 May
2017
10 May
'17
10:08 a.m.
--On Wednesday, May 10, 2017 7:02 PM +0100 Howard Chu hyc@symas.com wrote:
The point is there is nothing on your machine that says your hostname is "localhost". Therefore, since the subjectAltName of DNS:localhost doesn't match any known name for your host, the cert is rejected.
Sure there is, /etc/hosts. And as I noted, per RFC 6761, "localhost." is a recognized domain. The OpenLDAP code is incorrect.
A better solution would be for the localhost case to check if (a) the cert has a match, and if it fails, then fall back to see if it matches ldap_int_hostname.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com