Re: "TLS_REQCERT allow" rejects CN and hostname mismatch?

[Philip Guenther <guenther+ldaptech@sendmail.com>]

On Sun, 16 Oct 2011, Howard Chu wrote:
> NoÃl KÃthe wrote:
> > (openldap 2.4.25 on Debian GNU/Linux)
> > TLS_REQCERT allow is documented with
> > "The server certificate is requested. If no certificate is provided, the
> > session proceeds normally.  If  a  bad
> > certificate is provided, it will be ignored and the session proceeds
> > normally."
> > 
> > But if I test it it looks like the common name (CN) is checked against
> > the hostname of the server:
> 
> See ITS#7014.

So in Aug of this year, a patch (ITS#7014) to make the code match the docs 
was applied, which means the code didn't match the docs.

Two and half years ago, when a patch (ITS#4941) was submitted to make the 
docs match the code, it was rejected with the statement:
   "Aside from clarifying that we're assuming the use of X.509 
   certificates in the first place, this text is correct."

I'm glad the docs were correct for that 2.5 year window; too bad the code 
wasn't.  If anyone has a list of other places where the docs are correct 
but the code isn't, I'd be interested in a copy.


Philip Guenther