On 16/5/07 12:26, "Christopher Odenbach" <[EMAIL PROTECTED]> wrote:
> > Hi, > >>> Something should definitely implement that check. I guess it is up >>> to Net::LDAP to do that, because the algorithm to find the >>> hostname/ address >>> might be different for different application protocols using >>> IO::Socket::SSL. >> >> Yes. The LDAP checks are described in RFC 4513. > > OK, attached is my first shot at the problem. > > I think that probably the most elegant way to implement the host name > check would be with the 'SSL_verify_callback' parameter of > IO::Socket::SSL. But there are two problems: > > - the callback is called for every certificate involved, so also for > signing certificates in the chain, not only for the peer certificate > - the callback only gets few parameters, it does not get the certificate > subject which includes the host name > > So I chose to implement the host check manually at two places: > connect_ldaps and start_tls. > > The attached patch applies to LDAP.pm from the current version 0.34. It > uses the 'verify' parameter to find out whether to check the host name > or not. > > Now my test program behaves like it should: > > [EMAIL PROTECTED]:~/WORK$ ./test_ldap_tls.pl ldap > TLS: Error: host name mismatch in certificate! > [EMAIL PROTECTED]:~/WORK$ ./test_ldap_tls.pl ldap.uni-paderborn.de > OK > > > Any comments? Great start! There are a couple of ways it could be improved (IMO): * it should be picking up the certificate's hostname from the subjectAltName field, and only if that's not found look in the DN * it should be able to support "wildcarded" hostnames * there are some complicated rules for matching internationalized domain names * it would be nice if it supported IP address matching too I think the subjectAltName check is pretty important. Cheers, Chris
