[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do tool verify certs with ldapi:// ?

To: Peter Marschall <peter@adpm.de>
Subject: Re: How do tool verify certs with ldapi:// ?
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Mon, 28 May 2012 03:07:26 -0700
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1338199659; bh=lYp705VEADOLwfsQ+PsIXn5YwVBsOOaZZR5VbdWYwYI=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=GrS38g5D8Y+V3QJyohN7JGTaEqK5IgedkYOZEr1sOGhDMg1nh9A2lEsXfmrk8+1kx zUIebmAjlaAkO74XKq8+lBoL9D4ZNXP7uAc4swVpcqjunosJf9jfzOQJxpHQWBXxVy PDAsJ1D5Te9Sxr4KQnwZ+WVdk8yxYFcvlgH7fkCw=
In-reply-to: <201205281140.52009.peter@adpm.de>
References: <201205280955.46138.peter@adpm.de> <4FC3375E.5040809@stroeder.com> <alpine.BSO.2.00.1205280225340.19907@morgaine.smi.sendmail.com> <201205281140.52009.peter@adpm.de>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Mon, 28 May 2012, Peter Marschall wrote:
> On Monday, 28. May 2012, Philip Guenther wrote:
...
> > If that's not a sufficient option, and verifying certs is required, 
> > then it appears the code will treat the socket path as the hostname to 
> > verify for.  For OpenSSL, for example, that means it'll compare it 
> > against any DNS: subjectAltNames as well as against the last CN 
> > component of the cert subject.
>
> That's not what the openldap tools do.

I'm glad I said "it appears", as appearances can be (and were) deceiving.  
:-)


Checking with a debugger, I see that my description was correct for the 
case where a path was specified in the URI, ala
	ldapi://%2fvar%2frun%2fldapi

If no path is specified (e.g., "ldapi://") then the checking code is 
passed a hostname of "localhost".


Philip Guenther

Follow-Ups:
- Re: How do tool verify certs with ldapi:// ?
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

References:
- How do tool verify certs with ldapi:// ?
  - From: Peter Marschall <peter@adpm.de>
- Re: How do tool verify certs with ldapi:// ?
  - From: Michael Ströder <michael@stroeder.com>
- Re: How do tool verify certs with ldapi:// ?
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>
- Re: How do tool verify certs with ldapi:// ?
  - From: Peter Marschall <peter@adpm.de>

Prev by Date: Re: How do tool verify certs with ldapi:// ?
Next by Date: Re: How do tool verify certs with ldapi:// ?
Index(es):
- Chronological
- Thread