Quanah Gibson-Mount wrote:
--On Tuesday, May 09, 2017 10:58 PM +0200 Michael Ströder michael@stroeder.com wrote:
"subjectAltName" means *alternative* name. It is totally correct for libldap to reject your cert with a hostname mismatch when the cert cn is incorrect.
Human language can cause misunderstandings. So maybe I misread your statement. But I'm reading your sentence that the CN must always match or at least be a FQDN even if a subjectAltName value already matched.
No. One or the other must match, but the CN must be an FQDN. The point of alternatives is to support wildcards, aliases, and non-DNS name forms (such as IP address).
Right now, it requires that a value in subjectAltName match the local host name, which is also invalid.
I know the purpose of the check is to allow someone to use -H ldap://localhost to the ldap client, where the cert only exists for the hostname (I.e., it has no DNS:localhost value).
Yes.
However, the current code I maintain is incorrect in that it invalidates the current case, where everything is restricted to "localhost".
No. "everything is restricted to localhost" is meaningless. Telling slapd to listen on "-h ldap://localhost" doesn't change slapd's hostname to "localhost".
Quite frankly, the certcn can technically be anything, as long as at least one value in subjectAltName matches.
Agreed.
Unfortunately, I can't do an IP based cert either, since I've no idea what "localhost" will actually map to on the system.
Sorry but that makes no sense. "localhost" is 127.0.0.1. Always.