My software was using openldap client 2.4.44 to talk to the LDAP server. We have shifted to 2.4.59 now to address some issues. Ever since we shifted, the new version is allowing LDAP over TLS without hostname verification.
In the older ver 2.4.44, I always got this error if hostname did not match the CN value:
return code -1 - Can't contact LDAP server) diagnostic message TLS: hostname does not match CN in peer certificate
But after the lib update, no such error even if I am using LDAP server IP to do LDAP bind while LDAP server certificate has CN set as some FQDN (say test.ldap.com). Our client side code has not changed while we updated the ldap lib. For our client, we are only doing these settings:
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, lCertsDir) ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, lCert)
Has there been any change in this regard? How do I enforce hostname verification now?
I raised the issue https://bugs.openldap.org/show_bug.cgi?id=9869 but it has been set to verified/invalid state now. However, I do not know which version addresses the issue. Can anyone tell me which version would still verify the hostname when doing LDAP over TLS.
Thanks.