[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS hostname check screwed up?

To: Michael Ströder <michael@stroeder.com>
Subject: Re: TLS hostname check screwed up?
From: Howard Chu <hyc@symas.com>
Date: Wed, 12 Aug 2009 12:45:42 -0700
Cc: openldap-devel@openldap.org
In-reply-to: <4A82B184.1070906@stroeder.com>
References: <4A5BBD9F.9050809@stroeder.com> <4A5BC085.5090600@symas.com> <4A5C3C77.90806@stroeder.com> <4A82B184.1070906@stroeder.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090809 SeaMonkey/2.0a1pre Firefox/3.0.3

Michael Ströder wrote:

HI!

I'm using libldap of RE24 and have a problem with host name checking when
doing TLS.

OpenLDAP's debug output (real hostname exactly replaced by srv.domain.local):

------------------------------ snip ------------------------------
TLS: hostname (srv.domain.local.) does not match common name in certificate
(srv.domain.local).
------------------------------ snip ------------------------------

Is this because of the trailing dot?


Probably. The RFC requires an exact match, there's no exception for dots.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: TLS hostname check screwed up?
  - From: Michael Ströder <michael@stroeder.com>

References:
- TLS hostname check screwed up?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: TLS hostname check screwed up?
Next by Date: FAQ and ancient entries
Index(es):
- Chronological
- Thread