For the test suite, I've generated a server cert with:
Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite,
X509v3 Subject Alternative Name:
slapd is listening as:
-h ldap://localhost:9011/ ldaps://localhost:9012/ -d 0x4105
I.e., slapd is referring to itself as "localhost", and the cert fully
refers to itself as "localhost".
However, if I do a startTLS op to this host with reqcert set to "demand",
it fails with:
TLS: hostname (u16build) does not match common name in certificate
Given that everything is using "localhost", it seems to me it should
succeed rather than fail, and that this error is incorrect.
The issue seems to be this if statement in tls_o.c:
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
if I remove the check against the "localhost" name, things succeed as
Is there something valid we are trying to protect against here?
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: