[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW: commit: ldap/libraries/libldap tls.c



Some sites may have been inserting string-format IP addresses as a DNSname in
their certificates' subjectAltName so they could connect (with e.g.
ldap://127.0.0.1). With this change, if the destination name is a valid IP
address then only an IPADDR will be used in the subjectAltName comparisons.
As such, string-format IP addresses in a DNSname will be ignored. This will
require folks to generate new certs if they've been working this way up till
now.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-commit@OpenLDAP.org
[mailto:owner-openldap-commit@OpenLDAP.org]On Behalf Of hyc@OpenLDAP.org

Update of /repo/OpenLDAP/pkg/ldap/libraries/libldap

Modified Files:
	tls.c  1.95 -> 1.96

Log Message:
Added subjectAltName:IPADDR tests to ldap_pvt_tls_check_hostname()


CVS Web URLs:
  http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/
    http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls.c

Changes are generally available on cvs.openldap.org (and CVSweb)
within 30 minutes of being committed.