Rick van Rein wrote:
(John, we're sidetracking from your question, as you can probably tell.)
IMHO, the hostname check is immaterial (and potentially confusing, when hosting multiple dc=,dc= trees)
Not sure I understand "immaterial". One would have to right a spec which maps the "name" (here LDAP URL) used by the client to something stored in the TLS server cert.
I meant to say that the name does not have to be checked against the certificate to establish a secure connection. A direct result can be obtained by simply validating through key material:
- have a dc=,dc= name
- form a DNS name out of it [RFC 3088]
- if possible, map to a server hostname with DNS SRV + DNSSEC
3a. lookup the address for the server with AAAA/A (don't care about DNSSEC) 3b. lookup TLSA record for the server with TLSA + DNSSEC 4. connect to the server and start TLS 5. compare the certificate presented with the TLSA data
The majority of deployments do not have DNSSEC in place. So some name check for TLS certs are strictly required for preventing MITM attack.
IMO DNSSEC/DANE is not of much use for LDAP with TLS.
Ciao, Michael.