Howard Chu wrote: > Michael Ströder wrote: >> Howard Chu wrote: >>> Show the output with debugging enabled. Note that "localhost" is treated >>> specially, and will be replaced by the local hostname instead of being used >>> directly in the name comparison. >> >> Why that? I strongly dislike automagic things when doing security checks. > > Probably because "localhost" is useless in an actual cert from a remote > server.
Yes. But nothing prevents the client from providing the correct hostname. > This has been a feature of libldap since 2.1, so it's certainly > nothing new. You can blame me that I did not notice this feature before. Still I think that's broken since libldap has to rely on a trustworthy name resolving then instead of just comparing the inherently trusted user input against the cert's CN attribute. Hmm, didn't we have this discussion before? Ciao, Michael.
