[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS hostname check relaxed?

To: Howard Chu <hyc@symas.com>
Subject: Re: TLS hostname check relaxed?
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 14 Jul 2009 10:06:15 +0200
Cc: openldap-devel@openldap.org
In-reply-to: <4A5BC085.5090600@symas.com>
References: <4A5BBD9F.9050809@stroeder.com> <4A5BC085.5090600@symas.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17

Howard Chu wrote:
> Michael Ströder wrote:
>> HI!
>>
>> I vaguely remember that there were code changes to the hostname cert
>> checking when connecting via StartTLS ext.op. or LDAPS. But I'd prefer
>> if the default behaviour would be strict like it was.
> 
> You'll have to be more specific. What are you seeing that it doesn't do
> any more?

The server cert has this subject name for server name nb2.stroeder.local:
/C=DE/L=Karlsruhe/O=stroeder.com/OU=ITS/CN=nb2.stroeder.local

But I can successfully connect to it with this command:

ldapsearch -H ldaps://localhost:1391

>From my understanding this should not be possible by default.

Ciao, Michael.

References:
- TLS hostname check relaxed?
  - From: Michael Ströder <michael@stroeder.com>
- Re: TLS hostname check relaxed?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: TLS hostname check relaxed?
Next by Date: FAQ-O-MATIC: remove article "Cyrus SASL patches"?
Index(es):
- Chronological
- Thread