[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7014) TLS: certificate hostnames are being checked when TLS_REQCERT is se to allow
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7014) TLS: certificate hostnames are being checked when TLS_REQCERT is se to allow
- From: hyc@symas.com
- Date: Wed, 24 Aug 2011 22:32:44 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
jvcelak@redhat.com wrote:
> Full_Name: Jan Vcelak
> Version: master
> OS: Linux
> URL: http://jvcelak.fedorapeople.org/openldap/0001-TLS-do-not-check-hostname-when-reqcert-is-allow.patch
> Submission from: (NULL) (209.132.186.34)
>
>
> Hello.
>
> If server certificate hostname does not match the server hostname, connection is
> closed even if client has set TLS_REQCERT to 'allow'. This is wrong - the
> documentation says, that bad certificates are being ignored when TLS_REQCERT is
> set to 'allow'. (Other certificate failures (like invalid CA) are handled as
> expected - at least with MozNSS.)
>
> I'm attaching patch, which fixes this behavior. The patch applies on master
> branch. (OpenLDAP FTP server for incoming patches reports 'No space left on
> device.', that's why I uploaded the patch to fedorapeople.org.)
Thanks, applied to master.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/