Daniel Pocock wrote:
From RFC 4513, The client determines the type (e.g., DNS name or IP
address) of the reference identity and performs a comparison between the
reference identity and each subjectAltName value of the corresponding
type until a match is produced is very vague.
My understanding
On 03/03/12 11:45, Michael Ströder wrote:
Daniel Pocock wrote:
From RFC 4513, The client determines the type (e.g., DNS name or IP
address) of the reference identity and performs a comparison between the
reference identity and each subjectAltName value of the corresponding
type until a
On 03/03/12 12:46, Michael Ströder wrote:
Daniel Pocock wrote:
On 03/03/12 11:45, Michael Ströder wrote:
Practically the LDAP client when configured to use
ldaps://ldap1.outsource.com, ldaps://ldap2.outsource.com or
ldap://mycompany.com hopefully does
1. a validation of the server's cert
Daniel Pocock wrote:
On 03/03/12 12:46, Michael Ströder wrote:
Using DNS SRV is simply not specified regarding SSL/TLS. There's no way
to map a naming context to a server cert despite your local security
policy says your DNS is trusted by some other means.
A hostname can be a reference
On 03/03/12 15:17, Michael Ströder wrote:
Daniel Pocock wrote:
On 03/03/12 12:46, Michael Ströder wrote:
Using DNS SRV is simply not specified regarding SSL/TLS. There's no way
to map a naming context to a server cert despite your local security
policy says your DNS is trusted by some other
Daniel Pocock wrote:
http://tools.ietf.org/html/rfc4513#section-3.1.3 gives some detail about
how a client should check an LDAP server's TLS certificate. The
language used there is very general though.
Can anyone comment on how OpenLDAP does this, and whether it can be
tweaked from the client