In testing a suggestion from Howard, it appears that OpenLDAP code is broken for IP based certs (where the IP: <addr> is in subject Alternative Name), as it does a hostname lookup prior to validating the cert. This is trivially demonstrable using a cert with:
X509v3 Subject Alternative Name: DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Attempting to connect via ldapsearch to ldap://127.0.0.1 and initiate startTLS will fail, as the IP gets mapped to "localhost", and then the FQDN check fails. But this would imply any attempt to use the IP: values in subject Alternative Name will be a problem, since "name_in" is translated.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
Attempting to connect via ldapsearch to ldap://127.0.0.1 and initiate startTLS will fail, as the IP gets mapped to "localhost", and then the FQDN check fails.
Yes, this is a bug. Especially since the mapping to "localhost" does not have a trustable source for this mapping.
Ciao, Michael.
-
Michael Ströder -
Quanah Gibson-Mount