[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch does not match simple hostnames against fqdns in certificates (ITS#3158)



This behavior is by design.

At 03:15 AM 5/26/2004, mai01cvr@studserv.uni-leipzig.de wrote:
>Full_Name: Arne Brutschy
>Version: 2.2.11
>OS: Linux 2.6.4
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (139.18.1.5)
>
>
>ldapsearch (and perhaps other ldap tools as well) has problems while verifying
>the servers tls certificates when connecting with a single hostname and the
>certificates cn is a fqdn.
>
>Example:
>
>ldapsearch -x -W -D "cn=manager,dc=example,dc=com" -H ldaps://ldap:636
>
>fails, but
>
>ldapsearch -x -W -D "cn=manager,dc=example,dc=com" -H
>ldaps://ldap.example.com:636
>
>succeeds when the CN in the certificate is "ldap.example.com". This is wrong.
>Openssls reference test client validates the certificate in the right way, you
>can test with:
>
>openssl s_client -connect ldap:636 -CApath /etc/ssl/certs
>
>Here is the full (stripped) debug output:
>
>ldap:/etc/openldap/tls # ldapsearch -x -W -D "cn=manager,dc=uni-leipzig,dc=de"
>-H ldaps://ldap:636 -v -d 255
>ldap_initialize( ldaps://ldap:636 )
>ldap_create
>ldap_url_parse_ext(ldaps://ldap:636)
>Enter LDAP Password:
>ldap_bind_s
>ldap_simple_bind_s
>ldap_sasl_bind_s
>ldap_sasl_bind
>ldap_send_initial_request
>ldap_new_connection
>ldap_int_open_connection
>ldap_connect_to_host: TCP ldap:636
>ldap_new_socket: 3
>ldap_prepare_socket: 3
>ldap_connect_to_host: Trying x.x.x.x:636
>ldap_connect_timeout: fd: 3 tm: -1 async: 0
>ldap_ndelay_on: 3
>ldap_is_sock_ready: 3
>ldap_ndelay_off: 3
>TLS trace: SSL_connect:before/connect initialization
>tls_write: want=142, written=142
>[--snip--]
>TLS trace: SSL_connect:SSLv2/v3 write client hello A
>tls_read: want=7, got=7
>[--snip--]
>tls_read: want=72, got=72
>[--snip--]
>TLS trace: SSL_connect:SSLv3 read server hello A
>tls_read: want=5, got=5
>[--snip--]
>tls_read: want=3518, got=3518
>[--snip--]
>TLS certificate verification: depth: 2, err: 0, subject: /C=DE/O=Deutsches
>Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification
>Authority/emailAddress=certify@pca.dfn.de, issuer: /C=DE/O=Deutsches
>Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification
>Authority/emailAddress=certify@pca.dfn.de
>TLS certificate verification: depth: 1, err: 0, subject: /C=DE/O=Universitaet
>Leipzig/OU=URZ/CN=Zertifizierungsstelle 2004/emailAddress=ca@uni-leipzig.de,
>issuer: /C=DE/O=Deutsches Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN
>Toplevel Certification Authority/emailAddress=certify@pca.dfn.de
>TLS certificate verification: depth: 0, err: 0, subject: /C=DE/O=Universitaet
>Leipzig/OU=URZ/CN=ldap.example.com, issuer: /C=DE/O=Universitaet
>Leipzig/OU=URZ/CN=Zertifizierungsstelle 2004/emailAddress=ca@uni-leipzig.de
>TLS trace: SSL_connect:SSLv3 read server certificate A
>tls_read: want=5, got=5
>[--snip--]
>tls_read: want=4, got=4
>[--snip--]
>TLS trace: SSL_connect:SSLv3 read server done A
>TLS trace: SSL_connect:SSLv3 write client key exchange A
>TLS trace: SSL_connect:SSLv3 write change cipher spec A
>TLS trace: SSL_connect:SSLv3 write finished A
>tls_write: want=326, written=326
>[--snip--]
>TLS trace: SSL_connect:SSLv3 flush data
>tls_read: want=5, got=5
>[--snip--]
>tls_read: want=1, got=1
>[--snip--]
>tls_read: want=5, got=5
>[--snip--]
>tls_read: want=48, got=48
>[--snip--]
>TLS trace: SSL_connect:SSLv3 read finished A
>TLS: hostname (ldap) does not match common name in certificate
>(ldap.example.com).
>ldap_perror
>ldap_bind: Can't contact LDAP server (-1)
>        additional info: TLS: hostname does not match CN in peer certificate