On 14/5/07 8:39, "Christopher Odenbach" <[EMAIL PROTECTED]> wrote:
> > Hi, > > Net::LDAP::Security states correctly, that an SSL connection must be > verified by two things: > > 1. a correct certificate chain > 2. a matching hostname in the certificate > > The document states further on that this can be achieved by using > the 'cafile' or 'capath' options AND the 'verify=require' option. > > After some tests I have come to the conclusion that Net::LDAP (or > IO::Socket::SSL, don't know who is responsible) does verify the > certificate, but not the hostname. > > Example: > > Our ldap server is called 'ldap.uni-paderborn.de', that is also the name > in the certificate: > > [EMAIL PROTECTED]:~$ openssl s_client -connect ldap:636 | head > depth=2 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Basic - G01 > verify error:num=19:self signed certificate in certificate chain > verify return:0 > CONNECTED(00000003) > --- > Certificate chain > 0 s:/C=DE/O=Universitaet Paderborn/OU=IMT (Zentrum fuer Informations- > und > Medientechnologien)/CN=ldap.uni-paderborn.de/[EMAIL PROTECTED] > born.de > > > But the following perl snippet gives 'OK', even with a non-matching > hostname: > > #!/usr/bin/perl -w > use Net::LDAP; > $host = shift @ARGV; > $ldap = Net::LDAP->new ( $host ) or die "new: $@"; > # start TLS > $mesg = $ldap->start_tls ( verify => 'require', > capath => '/etc/ssl/certs', > ) or die "start_tls: $@"; > $mesg->code && die "TLS: " . $mesg->error . "\n"; > print "OK\n"; > > > [EMAIL PROTECTED]:~/WORK$ ./test_ldap_tls.pl ldap > OK > > > If I do the same thing with 'ldapsearch' on the commandline, I am only > connected if I enter the fully qualified domain name, just as in the > certificate: > > [EMAIL PROTECTED]:~/WORK$ ldapsearch -ZZ -h ldap uid=odenbach > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer > certificate > [EMAIL PROTECTED]:~/WORK$ ldapsearch -ZZ -h ldap.uni-paderborn.de > uid=odenbach > SASL/GSSAPI authentication started > SASL username: [EMAIL PROTECTED] > SASL SSF: 56 > SASL installing layers > # extended LDIF > > > Now my question: Who is responsible for the hostname check? Net::LDAP? > Or IO::Socket::SSL? Who is to blame that Net::LDAP does not verify the > hostname as advertised in Net::LDAP::Security? ;-) The text in Security.pod's second point is wrong, though your summary of it is correct. AIUI you could have the subjectAltName in the server's cert set to the hostname (or IP address, and wildcards are supported) of the actual server, and that should be checked in preference to the least-significant cn RDN. Something should definitely implement that check. I guess it is up to Net::LDAP to do that, because the algorithm to find the hostname/address might be different for different application protocols using IO::Socket::SSL. But maybe IO::Socket::SSL could implement various "common" algorithms? > Thank you > > Christopher > > P.S.: Please include me in answers as I am not subscribed. Cheers, Chris
