[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
tls_check_hostname (ITS#2161)
Full_Name: Aaron Spangler
Version: 2.1.4 & 2.0.25
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (155.188.255.8)
Description: cannot turn off tls_check_hostname
I am using openldap + openssl(0.9.6g) to connect to an LDAP server.
The server certificate subject is cn=servername.domain.domain
ldap_initialize(&ldp,"ldaps://servername.domain.domain") works great.
The problem is that we cannot rely on name resolution in our environment. I
want to instead connect via the IP address to make things more stable.
ldap_initialize(&ldp,"ldaps://10.2.3.4") fails with 'TLS: hostname does not
match common name in certificate'
I tried using ldap_set_option for LDAP_OPT_X_TLS_REQUIRE_CERT=0 which maps to
the underlying ssl functions SSL_CTX_set_verify(...,SSL_VERIFY_NONE,...) But it
appears to not make a difference.
On further investigation of <openldap>/libraries/libldap/tls.c it looks as if
ALWAYS called by ldap_int_tls_start() and there appears to be no way to turn it
off. [I checked openldap 2.1.4 & 2.0.25]
Any suggestions short of hard coding a return (LDAP_SUCCESS) inside of
ldap_pvt_tls_check_hostname()?
Thanks for your help in advance.
-Aaron Spangler