[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: tls_check_hostname (ITS#2161)
One suggestion: add subjectAltName=DNS:10.2.3.4 to your server cert.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> spangla@nationwide.com
> Sent: Wednesday, October 30, 2002 8:45 AM
> To: openldap-its@OpenLDAP.org
> Subject: tls_check_hostname (ITS#2161)
>
>
> Full_Name: Aaron Spangler
> Version: 2.1.4 & 2.0.25
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (155.188.255.8)
>
>
> Description: cannot turn off tls_check_hostname
>
> I am using openldap + openssl(0.9.6g) to connect to an LDAP server.
> The server certificate subject is cn=servername.domain.domain
>
> ldap_initialize(&ldp,"ldaps://servername.domain.domain") works great.
>
> The problem is that we cannot rely on name resolution in our
> environment. I
> want to instead connect via the IP address to make things more stable.
>
> ldap_initialize(&ldp,"ldaps://10.2.3.4") fails with 'TLS:
> hostname does not
> match common name in certificate'
>
> I tried using ldap_set_option for
> LDAP_OPT_X_TLS_REQUIRE_CERT=0 which maps to
> the underlying ssl functions
> SSL_CTX_set_verify(...,SSL_VERIFY_NONE,...) But it
> appears to not make a difference.
>
> On further investigation of
> <openldap>/libraries/libldap/tls.c it looks as if
> ALWAYS called by ldap_int_tls_start() and there appears to be
> no way to turn it
> off. [I checked openldap 2.1.4 & 2.0.25]
>
> Any suggestions short of hard coding a return (LDAP_SUCCESS) inside of
> ldap_pvt_tls_check_hostname()?
>
> Thanks for your help in advance.
>
> -Aaron Spangler
>
>