[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "TLS_REQCERT allow" rejects CN and hostname mismatch?

To: NoÃl KÃthe <noel@debian.org>
Subject: Re: "TLS_REQCERT allow" rejects CN and hostname mismatch?
From: Howard Chu <hyc@symas.com>
Date: Sun, 16 Oct 2011 11:59:11 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <1318590190.31890.2.camel@thinker.domain.lan>
References: <1318590190.31890.2.camel@thinker.domain.lan>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0a1) Gecko/20111001 Firefox/10.0a1 SeaMonkey/2.7a1

NoÃl KÃthe wrote:

Hello,

(openldap 2.4.25 on Debian GNU/Linux)
TLS_REQCERT allow is documented with
"The server certificate is requested. If no certificate is provided, the session proceeds normally.  If  a  bad
certificate is provided, it will be ignored and the session proceeds normally."

But if I test it it looks like the common name (CN) is checked against
the hostname of the server:


See ITS#7014.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: "TLS_REQCERT allow" rejects CN and hostname mismatch?
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

References:
- "TLS_REQCERT allow" rejects CN and hostname mismatch?
  - From: Noël Köthe <noel@debian.org>

Prev by Date: Re: password-policy configuration problems: cannot change passwords
Next by Date: Re: Syncrepl SSL fail
Index(es):
- Chronological
- Thread