Net::LDAPS not checking hostname in certificate

[Christopher Odenbach]

Hi,

Net::LDAP::Security states correctly, that an SSL connection must be 
verified by two things:

1. a correct certificate chain
2. a matching hostname in the certificate

The document states further on that this can be achieved by using 
the 'cafile' or 'capath' options AND the 'verify=require' option.

After some tests I have come to the conclusion that Net::LDAP (or 
IO::Socket::SSL, don't know who is responsible) does verify the 
certificate, but not the hostname.

Example:

Our ldap server is called 'ldap.uni-paderborn.de', that is also the name 
in the certificate:

[EMAIL PROTECTED]:~$ openssl s_client -connect ldap:636 | head
depth=2 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Basic - G01
verify error:num=19:self signed certificate in certificate chain
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=DE/O=Universitaet Paderborn/OU=IMT (Zentrum fuer Informations- 
und 
Medientechnologien)/CN=ldap.uni-paderborn.de/[EMAIL PROTECTED]


But the following perl snippet gives 'OK', even with a non-matching 
hostname:

#!/usr/bin/perl -w
use Net::LDAP;
$host = shift @ARGV;
$ldap = Net::LDAP->new ( $host ) or die "new: $@";
# start TLS
$mesg = $ldap->start_tls (      verify => 'require',
                                capath => '/etc/ssl/certs',
                        ) or die "start_tls: $@";
$mesg->code && die "TLS: " . $mesg->error . "\n";
print "OK\n";


[EMAIL PROTECTED]:~/WORK$ ./test_ldap_tls.pl ldap
OK


If I do the same thing with 'ldapsearch' on the commandline, I am only 
connected if I enter the fully qualified domain name, just as in the 
certificate:

[EMAIL PROTECTED]:~/WORK$ ldapsearch -ZZ -h ldap uid=odenbach
ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match CN in peer 
certificate
[EMAIL PROTECTED]:~/WORK$ ldapsearch -ZZ -h ldap.uni-paderborn.de 
uid=odenbach
SASL/GSSAPI authentication started
SASL username: [EMAIL PROTECTED]
SASL SSF: 56
SASL installing layers
# extended LDIF


Now my question: Who is responsible for the hostname check? Net::LDAP? 
Or IO::Socket::SSL? Who is to blame that Net::LDAP does not verify the 
hostname as advertised in Net::LDAP::Security? ;-)

Thank you

Christopher

P.S.: Please include me in answers as I am not subscribed.

-- 
======================================================
    Dipl.-Ing. Christopher Odenbach
    Zentrum fuer Informations- und Medientechnologien
    Universitaet Paderborn
    Raum N5.110
    [EMAIL PROTECTED]
    Tel.: +49 5251 60 5315
======================================================

pgp4Vpv11XWeK.pgp
Description: PGP signature