--On Tuesday, May 09, 2017 10:58 PM +0200 Michael Ströder michael@stroeder.com wrote:
"subjectAltName" means *alternative* name. It is totally correct for libldap to reject your cert with a hostname mismatch when the cert cn is incorrect.
Human language can cause misunderstandings. So maybe I misread your statement. But I'm reading your sentence that the CN must always match or at least be a FQDN even if a subjectAltName value already matched.
Right now, it requires that a value in subjectAltName match the local host name, which is also invalid. I know the purpose of the check is to allow someone to use -H ldap://localhost to the ldap client, where the cert only exists for the hostname (I.e., it has no DNS:localhost value). However, the current code I maintain is incorrect in that it invalidates the current case, where everything is restricted to "localhost". Quite frankly, the certcn can technically be anything, as long as at least one value in subjectAltName matches.
Unfortunately, I can't do an IP based cert either, since I've no idea what "localhost" will actually map to on the system.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Tuesday, May 09, 2017 10:58 PM +0200 Michael Ströder michael@stroeder.com wrote:
"subjectAltName" means *alternative* name. It is totally correct for libldap to reject your cert with a hostname mismatch when the cert cn is incorrect.
Human language can cause misunderstandings. So maybe I misread your statement. But I'm reading your sentence that the CN must always match or at least be a FQDN even if a subjectAltName value already matched.
No. One or the other must match, but the CN must be an FQDN. The point of alternatives is to support wildcards, aliases, and non-DNS name forms (such as IP address).
Right now, it requires that a value in subjectAltName match the local host name, which is also invalid.
I know the purpose of the check is to allow someone to use -H ldap://localhost to the ldap client, where the cert only exists for the hostname (I.e., it has no DNS:localhost value).
Yes.
However, the current code I maintain is incorrect in that it invalidates the current case, where everything is restricted to "localhost".
No. "everything is restricted to localhost" is meaningless. Telling slapd to listen on "-h ldap://localhost" doesn't change slapd's hostname to "localhost".
Quite frankly, the certcn can technically be anything, as long as at least one value in subjectAltName matches.
Agreed.
Unfortunately, I can't do an IP based cert either, since I've no idea what "localhost" will actually map to on the system.
Sorry but that makes no sense. "localhost" is 127.0.0.1. Always.
--On Wednesday, May 10, 2017 4:21 PM +0100 Howard Chu hyc@symas.com wrote:
No. One or the other must match, but the CN must be an FQDN. The point of alternatives is to support wildcards, aliases, and non-DNS name forms (such as IP address).
RFC reference?
Unfortunately, I can't do an IP based cert either, since I've no idea what "localhost" will actually map to on the system.
Sorry but that makes no sense. "localhost" is 127.0.0.1. Always.
Wish that were true, but I've come across installations where that wasn't the case (I've seen 127.0.0.2 for example). Also, on an IPv6 only machine, it could be ::1 (Although again, I've seen it be other IPv6 addresses as well).
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Wednesday, May 10, 2017 4:21 PM +0100 Howard Chu hyc@symas.com wrote:
No. One or the other must match, but the CN must be an FQDN. The point of alternatives is to support wildcards, aliases, and non-DNS name forms (such as IP address).
RFC reference?
RFC 6125 which in turn mentions RFC 4513.
Sorry but that makes no sense. "localhost" is 127.0.0.1. Always.
Wish that were true, but I've come across installations where that wasn't the case (I've seen 127.0.0.2 for example). Also, on an IPv6 only machine, it could be ::1 (Although again, I've seen it be other IPv6 addresses as well).
AFAIK 127.0.0.2 is used by some Linux distributions for a hostname != 'localhost' with non-networked status.
Ciao, Michael.
-
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount