Quanah Gibson-Mount wrote:
--On Tuesday, May 09, 2017 10:58 PM +0200 Michael Ströder
<mich...@stroeder.com> wrote:
"subjectAltName" means *alternative* name. It is totally correct for
libldap to reject your cert with a hostname mismatch when the cert cn is
incorrect.
Human language can cause misunderstandings. So maybe I misread your
statement. But I'm reading your sentence that the CN must always match or
at least be a FQDN even if a subjectAltName value already matched.
No. One or the other must match, but the CN must be an FQDN. The point of
alternatives is to support wildcards, aliases, and non-DNS name forms (such as
IP address).
Right now, it requires that a value in subjectAltName match the local host
name, which is also invalid.
I know the purpose of the check is to allow
someone to use -H ldap://localhost to the ldap client, where the cert only
exists for the hostname (I.e., it has no DNS:localhost value).
Yes.
However, the
current code I maintain is incorrect in that it invalidates the current case,
where everything is restricted to "localhost".
No. "everything is restricted to localhost" is meaningless. Telling slapd to
listen on "-h ldap://localhost"; doesn't change slapd's hostname to "localhost".
Quite frankly, the certcn can
technically be anything, as long as at least one value in subjectAltName
matches.
Agreed.
Unfortunately, I can't do an IP based cert either, since I've no idea what
"localhost" will actually map to on the system.
Sorry but that makes no sense. "localhost" is 127.0.0.1. Always.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
