https://bugs.openldap.org/show_bug.cgi?id=9267
Issue ID: 9267
Summary: libldap incorrectly accepts IP addresses in cert
subject field as valid
Product: OpenLDAP
Version: 2.4.50
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
With a cert that has no subjectAltName, and has an IP address in the subject,
ldap client connections are still made instead of rejected. This appears to
violate RFC 4513, section 3.1.3:
The server's identity may also be verified by comparing the reference
identity to the Common Name (CN) [RFC4519] value in the leaf Relative
Distinguished Name (RDN) of the subjectName field of the server's
certificate. This comparison is performed using the rules for
comparison of DNS names in Section 3.1.3.1, below, with the exception
that no wildcard matching is allowed. Although the use of the Common
Name value is existing practice, it is deprecated, and Certification
Authorities are encouraged to provide subjectAltName values instead.
Note that the TLS implementation may represent DNs in certificates
according to X.500 or other conventions. For example, some X.500
implementations order the RDNs in a DN using a left-to-right (most
significant to least significant) convention instead of LDAP's
right-to-left convention.
I do know we have an exception to the above in relation to wildcards in
subject, since many CAs only issue certs that way (or at least did so at the
time).
However that still revolves around DNS names. The acceptance of IP addresses
is a separate matter and seems like it should be treated as a bug.
--
You are receiving this mail because:
You are on the CC list for the issue.
