On Wed, May 10, 2017 at 09:32:59AM -0700, Quanah Gibson-Mount wrote:
RFC 6761 specifically notes that "localhost." is in fact a domain name (Section 6.3). Therefore, my certificates are in fact correct, and the OpenLDAP code check is indeed a bug.
"localhost." is a perfectly valid FQDN (as is the relatively common "localhost.localdomain."), but from earlier in the thread I gathered your system's FQDN is actually "u16build." or "u16build.some.domain.".
Does the FQDN (aka ldap_int_hostname) actually match one of the SANs in the certificate? The first time I tried your branch, the only reason it reached the CN check at all was because none of the SANs matched.
(But there may be a tiny bug if we're looking at CN at all when the cert contains a SAN. That sounds like it might be contrary to the RFC.)