[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Verifying 'CN' in client certificates using TLS
On Wed, Feb 06, 2002 at 10:29:48AM +0100, Norbert Klasen wrote:
> > However, the 'CN' value of my client certificate are completely ignored,
> > as I can install the same certificates across several clients (machines in
> > this case) and they will work. I'm therefore deducting that provided the
> > client certs have been signed by my trusted CA (my own in this case) the
> > 'CN' value is unimportant?
> >
> > Is there a way to enforce 'CN' checking against a directory entry which
> > details DNS hostname, or even better IP address, in OpenLDAP?
>
> Which version of OpenLDAP are you using? Recent version do perform the
> Server Identity Check according to RFC2830.
I should have listed software versions, sorry:
OpenLDAP 2.0.21
nss_ldap-181
pam_ldap-136
I think Howard, in his follow up, has pointed out the factor here. 'Clients'
are usually 'people' not 'hosts', therefore DNS and IP are irrelevant....
Steve