It's my understanding that using LDAPS->new or $ldap->start_tls with the
option
verify => 'require'
Should verify that the host name should be checked and fail if it's not
an exact match. From my experience with websites, TLS/SSL requires that
if the cert contains the FQDN for the server, the verification will fail
if the name in the web-browsers address doesn't also have the FQDN.
I wrote a program using the code below. The cert for the LDAP server has
the FQDN (ldap1.domain.tld), however when I call the program with
hostname specified as "ldap1", I do not get any kind of verification
error. ldap1 doesn't not allow any unencrypted traffic at all, so I know
I must be connecting over SSL/TLS or I would have gotten a
"confidentiality required" error from the server.
NOTE: In my previous e-mail, I left out a section of the code. This
e-mail includes all the code. Sorry for the screw-up:
It's my understanding that using LDAPS->new or $ldap->start_tls with the
option
verify => 'require'
Should verify that the host name should be checked and fail if it's not
an exact match. From my experience with websites, TLS/SSL requires that
if the cert contains the FQDN for the server, the verification will fail
if the name in the web-browsers address doesn't also have the FQDN.
I wrote a program using the code below. The cert for the LDAP server has
the FQDN (ldap1.domain.tld), however when I call the program with
hostname specified as "ldap1", I do not get any kind of verification
error. ldap1 doesn't not allow any unencrypted traffic at all, so I know
I must be connecting over SSL/TLS or I would have gotten a
"confidentiality required" error from the server.
Am I doing something wrong, or have an incorrect understanding of how
SSL/TLS works in this case?
# Step 1:
# Try to connect. If we fail here, exit with return code 2
if (($port == 636)||($ssl)) {
if ($verbose) {
print "Connecting with scheme = ldaps\n";
}
if (!$port) {
$port = '389';
}
$ldap = Net::LDAP->new($hostname,
port => $port,
scheme => 'ldaps',
timeout => $timeout,
verify => 'require',
cafile => $cafile
) || exit (2);
} else {
if ($verbose) {
print "Connecting with scheme = ldap\n";
}
$ldap = Net::LDAP->new($hostname,
port => $port,
scheme => 'ldap',
timeout => $timeout
) || exit (2);
}
# Step 1b:
# If starttls is specified, try to starttls.
# If if we fail, exit status = 2
if ($starttls) {
if ($verbose) {
print "Starting TLS\n";
}
$mesg = $ldap->start_tls(verify => 'require',
cafile => $cafile
);
$code = $mesg->code;
if ($code != 0) {
$error = $mesg->error;
print "Could not start TLS\n";
print "$error\n";
$exit_val = '2';
}
}
--
Prentice Bisbal
Linux Software Support Specialist/System Administrator
School of Natural Sciences
Institute for Advanced Study
Princeton, NJ
