[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5938) tls.c does not conform to RFC 4513
On Feb 10, 2009, at 7:56 AM, nick.hudson@isode.com wrote:
> Full_Name: nick hudson
> Version: 2.3.38
> OS: linux
> URL:
> Submission from: (NULL) (62.3.217.250)
>
>
> I am looking at the code in tls.c, function
> ldap_pvt_tls_check_hostname
> (although the code has been refactored in recent versions, into e.g.
> tls_o.c,
> but the same is true of the new code)
>
> I think the code is doing something that RFC 4513 says that it
> should not do.
> Specifically, ref RFC 4513 section 3.1.3 says:
>
> The server's identity may also be verified by comparing the
> reference
> identity to the Common Name (CN) [RFC4519] value in the leaf
> Relative
> Distinguished Name (RDN) of the subjectName field of the server's
> certificate. This comparison is performed using the rules for
> comparison of DNS names in Section 3.1.3.1, below, with the
> exception
> that no wildcard matching is allowed.
>
> In tls.c (and the refactored code), you can see it's first
> attempting an exact
> comparison on subjectAltName, and if that fails it tries a wildcard
> match (which
> is ok, as per section 3.1.3.1)
>
> But if no subjectAltName match is found, there's another section
> which looks at
> the certificate's subjectname, in which it also does a wildcard
> match, although
> the RFC says this shouldn't be done.
This is a case where OpenLDAP library is purposely being 'liberal in
what it accepts'.
-- Kurt