HI!
I vaguely remember that there were code changes to the hostname cert checking when connecting via StartTLS ext.op. or LDAPS. But I'd prefer if the default behaviour would be strict like it was.
I'm testing with RE24 libs.
Ciao, Michael.
Michael Ströder wrote:
HI!
I vaguely remember that there were code changes to the hostname cert checking when connecting via StartTLS ext.op. or LDAPS. But I'd prefer if the default behaviour would be strict like it was.
You'll have to be more specific. What are you seeing that it doesn't do any more?
I'm testing with RE24 libs.
Howard Chu wrote:
Michael Ströder wrote:
HI!
I vaguely remember that there were code changes to the hostname cert checking when connecting via StartTLS ext.op. or LDAPS. But I'd prefer if the default behaviour would be strict like it was.
You'll have to be more specific. What are you seeing that it doesn't do any more?
The server cert has this subject name for server name nb2.stroeder.local: /C=DE/L=Karlsruhe/O=stroeder.com/OU=ITS/CN=nb2.stroeder.local
But I can successfully connect to it with this command:
ldapsearch -H ldaps://localhost:1391
From my understanding this should not be possible by default.
Ciao, Michael.
HI!
I'm using libldap of RE24 and have a problem with host name checking when doing TLS.
OpenLDAP's debug output (real hostname exactly replaced by srv.domain.local):
------------------------------ snip ------------------------------ TLS: hostname (srv.domain.local.) does not match common name in certificate (srv.domain.local). ------------------------------ snip ------------------------------
Is this because of the trailing dot?
Ciao, Michael.
Michael Ströder michael@stroeder.com writes:
HI!
I'm using libldap of RE24 and have a problem with host name checking when doing TLS.
OpenLDAP's debug output (real hostname exactly replaced by srv.domain.local):
------------------------------ snip ------------------------------ TLS: hostname (srv.domain.local.) does not match common name in certificate (srv.domain.local). ------------------------------ snip ------------------------------
Is this because of the trailing dot?
Did you update opensuse-11.1 recently? I have faced some problems with updated openssl-0.9.8h-28.10.1 and certificate verfication.
-Dieter
--On Wednesday, August 12, 2009 2:11 PM +0200 Michael Ströder michael@stroeder.com wrote:
Is this because of the trailing dot?
Does it work with 2.4.17? Or do you only see this with RE24? There were some recent changes made to the code. I'd let you know the commits, but the OpenLDAP site appears to be down.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Michael Ströder wrote:
HI!
I'm using libldap of RE24 and have a problem with host name checking when doing TLS.
OpenLDAP's debug output (real hostname exactly replaced by srv.domain.local):
------------------------------ snip ------------------------------ TLS: hostname (srv.domain.local.) does not match common name in certificate (srv.domain.local). ------------------------------ snip ------------------------------
Is this because of the trailing dot?
Probably. The RFC requires an exact match, there's no exception for dots.
Howard Chu wrote:
Michael Ströder wrote:
I'm using libldap of RE24 and have a problem with host name checking when doing TLS.
OpenLDAP's debug output (real hostname exactly replaced by srv.domain.local):
------------------------------ snip ------------------------------ TLS: hostname (srv.domain.local.) does not match common name in certificate (srv.domain.local). ------------------------------ snip ------------------------------
Is this because of the trailing dot?
Probably. The RFC requires an exact match, there's no exception for dots.
It seems I messed up something locall. Sorry for the noise.
Ciao, Michael.
-
Dieter Kluenter -
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount