[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7006) openldap does not accept wildcard certificates with mozilla/nss

To: openldap-its@OpenLDAP.org
Subject: (ITS#7006) openldap does not accept wildcard certificates with mozilla/nss
From: hash_oldap@cycdolphin.net
Date: Mon, 1 Aug 2011 14:32:44 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Philippe Kueck
Version: 2.4.23 / 2.4.26
OS: RHEL 6.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.98.65.86)


When compiled against Mozilla/NSS OpenLDAP does not accept wildcard
certificates.

This is probably because in tls_m.c the certificate CN (*.domain.example) is
matched against the hostname (foo.domain.example), not against the domain
(.domain.example).

I suggest the following patch:

--%snip%--
diff -Nru openldap-2.4.26-orig/libraries/libldap/tls_m.c
openldap-2.4.26/libraries/libldap/tls_m.c
--- openldap-2.4.26-orig/libraries/libldap/tls_m.c	2011-06-30 17:13:36.000000000
+0200
+++ openldap-2.4.26/libraries/libldap/tls_m.c	2011-08-01 16:29:42.000000000
+0200
@@ -2590,7 +2590,7 @@
 				if ( av->len == nlen && !strncasecmp( name, (char *)av->data, nlen )) {
 					ret = LDAP_SUCCESS;
 				} else if ( av->data[0] == '*' && av->data[1] == '.' &&
-					domain && dlen == av->len - 1 && !strncasecmp( name,
+					domain && dlen == av->len - 1 && !strncasecmp( domain,
 						(char *)(av->data+1), dlen )) {
 					ret = LDAP_SUCCESS;
 				} else {
--%snip%--


Kind regards,

Philippe Kueck

Prev by Date: (ITS#7005) Collision of LDAP calls between Oracle, Curl and OpenLDAP libraries
Next by Date: (ITS#7007) sync: inconsistent directory when starting with emtpy node
Index(es):
- Chronological
- Thread