Michael Ströder wrote:
Howard Chu wrote:
Michael Ströder wrote:
Howard Chu wrote:
Show the output with debugging enabled. Note that "localhost" is treated specially, and will be replaced by the local hostname instead of being used directly in the name comparison.
Why that? I strongly dislike automagic things when doing security checks.
Probably because "localhost" is useless in an actual cert from a remote server.
Yes. But nothing prevents the client from providing the correct hostname.
Laziness, and the ubiquity of "localhost" in canned configs...
This has been a feature of libldap since 2.1, so it's certainly nothing new.
You can blame me that I did not notice this feature before. Still I think that's broken since libldap has to rely on a trustworthy name resolving then instead of just comparing the inherently trusted user input against the cert's CN attribute. Hmm, didn't we have this discussion before?
I'm sure we have. Replacing "localhost" with the output of gethostname() is still inherently secure.