--On Tuesday, May 09, 2017 10:58 PM +0200 Michael Ströder
<mich...@stroeder.com> wrote:
"subjectAltName" means *alternative* name. It is totally correct for
libldap to reject your cert with a hostname mismatch when the cert cn is
incorrect.
Human language can cause misunderstandings. So maybe I misread your
statement. But I'm reading your sentence that the CN must always match or
at least be a FQDN even if a subjectAltName value already matched.
Right now, it requires that a value in subjectAltName match the local host
name, which is also invalid. I know the purpose of the check is to allow
someone to use -H ldap://localhost to the ldap client, where the cert only
exists for the hostname (I.e., it has no DNS:localhost value). However,
the current code I maintain is incorrect in that it invalidates the current
case, where everything is restricted to "localhost". Quite frankly, the
certcn can technically be anything, as long as at least one value in
subjectAltName matches.
Unfortunately, I can't do an IP based cert either, since I've no idea what
"localhost" will actually map to on the system.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
