Chris Ridd wrote:
> On 31 Mar 2010, at 19:25, Prentice Bisbal wrote:
>
>> It's my understanding that using LDAPS->new or $ldap->start_tls with the
>> option
>>
>> verify => 'require'
>>
>> Should verify that the host name should be checked and fail if it's not
>> an exact match. From my experience with websites, TLS/SSL requires that
>> if the cert contains the FQDN for the server, the verification will fail
>> if the name in the web-browsers address doesn't also have the FQDN.
>>
>> I wrote a program using the code below. The cert for the LDAP server has
>> the FQDN (ldap1.domain.tld), however when I call the program with
>> hostname specified as "ldap1", I do not get any kind of verification
>> error. ldap1 doesn't not allow any unencrypted traffic at all, so I know
>> I must be connecting over SSL/TLS or I would have gotten a
>> "confidentiality required" error from the server.
>>
>> NOTE: In my previous e-mail, I left out a section of the code. This
>> e-mail includes all the code. Sorry for the screw-up:
>>
>> It's my understanding that using LDAPS->new or $ldap->start_tls with the
>> option
>>
>> verify => 'require'
>>
>> Should verify that the host name should be checked and fail if it's not
>> an exact match.
>
> No, all it means is that the certificate chain is trusted, ie is signed by a
> CA that you trust.
>
> The rules for checking the hostname matches are more complex than you
> describe, but luckily it seems that IO::Socket::SSL has a verify_hostname
> method that should do what is needed. eg:
>
> $ldap = Net::LDAP->new("hostname") or die;
> [...start_tls etc...]
> $ldap->socket->verify_hostname("hostname", "ldap") || die "Hostname
> verification error";
>
> We should either document this, or (my preference) add code to call
> verify_hostname ourselves.
>
> Cheers,
>
> Chris
>
>
Thanks for the clarification. That's exactly what I was looking for.
I'm going to add that verify_hostname call to my code.
--
Prentice
