On 31 Mar 2010, at 19:25, Prentice Bisbal wrote:
> It's my understanding that using LDAPS->new or $ldap->start_tls with the
> option
>
> verify => 'require'
>
> Should verify that the host name should be checked and fail if it's not
> an exact match. From my experience with websites, TLS/SSL requires that
> if the cert contains the FQDN for the server, the verification will fail
> if the name in the web-browsers address doesn't also have the FQDN.
>
> I wrote a program using the code below. The cert for the LDAP server has
> the FQDN (ldap1.domain.tld), however when I call the program with
> hostname specified as "ldap1", I do not get any kind of verification
> error. ldap1 doesn't not allow any unencrypted traffic at all, so I know
> I must be connecting over SSL/TLS or I would have gotten a
> "confidentiality required" error from the server.
>
> NOTE: In my previous e-mail, I left out a section of the code. This
> e-mail includes all the code. Sorry for the screw-up:
>
> It's my understanding that using LDAPS->new or $ldap->start_tls with the
> option
>
> verify => 'require'
>
> Should verify that the host name should be checked and fail if it's not
> an exact match.
No, all it means is that the certificate chain is trusted, ie is signed by a CA
that you trust.
The rules for checking the hostname matches are more complex than you describe,
but luckily it seems that IO::Socket::SSL has a verify_hostname method that
should do what is needed. eg:
$ldap = Net::LDAP->new("hostname") or die;
[...start_tls etc...]
$ldap->socket->verify_hostname("hostname", "ldap") || die "Hostname
verification error";
We should either document this, or (my preference) add code to call
verify_hostname ourselves.
Cheers,
Chris
