Quanah Gibson-Mount wrote:
For the test suite, I've generated a server cert with:
Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite, CN=localhost
and
X509v3 Subject Alternative Name:
DNS:localhost
slapd is listening as:
/home/build/git/symas-packages/thirdparty/openldap/build/UBUNTU16_64/symas-openldap/servers/slapd/.libs/lt-slapd
-s0 -f
/home/build/git/symas-packages/thirdparty/openldap/build/UBUNTU16_64/symas-openldap/tests/testrun/slapd.1.conf
-h ldap://localhost:9011/ ldaps://localhost:9012/ -d 0x4105
I.e., slapd is referring to itself as "localhost", and the cert fully refers
to itself as "localhost".
However, if I do a startTLS op to this host with reqcert set to "demand", it
fails with:
TLS: hostname (u16build) does not match common name in certificate (localhost).
Given that everything is using "localhost", it seems to me it should succeed
rather than fail, and that this error is incorrect.
The issue seems to be this if statement in tls_o.c:
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
{
if I remove the check against the "localhost" name, things succeed as
expected.
Is there something valid we are trying to protect against here?
"localhost" isn't a real hostname. If your host has a real hostname, it gets
used. That code has existed since 2001:
commit 943800a53433989fdf6e65ac8971459c48301399
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<
http://www.symas.com>
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/