Re: TLS fails

[Jon Roberts <jon@jonanddeb.net>]

Kurt D. Zeilenga wrote:
> > On Wednesday 15 February 2006 15:40, Jon Roberts wrote:
> > > Quanah Gibson-Mount wrote:
> > > > You have to use the name in your search that matches the name in the
> > > > certificate for TLS to work.
> > >
> > > In JLDAP clients I can connect to a remote ldaps server by using the ip
> > > address as hostname, even though I obviously did not use the ip as the
> > > name in the certificate. Is that advice specific to ldapsearch,
> > > StartTLS, or something else I might be confused about?
> >
> > I'm guessing that JLDAP translates the IP address to the FQDN.
>
> Which is counter to both general and LDAP-specific
> TLS certificate verification rules.  One shouldn't
> trust DNS.  Sounds like a JLDAP bug to me.

I'll have to continue investigating this later, but it appears it's 
actually the standard Java JSSE SSL socket factory that's doing this 
lookup. However, in JLDAP's LDAPJSSEStartTLSFactory the socket creation 
involves an explicit call to getInetAddress().getHostName(). That may be 
aping what I'll find in the source for javax.net.ssl.SSLSocketFactory.

Either way I'm pretty sure this is not a DNS lookup at all, because I'm 
using a local network (192.168) address which shouldn't resolve to anything.

If I pick up this tangential branch of the thread, I'll move it to 
openldap-devel.

Jon Roberts
www.mentata.com