Michael Ströder wrote: > Howard Chu wrote: >> Michael Ströder wrote: >>> Howard Chu wrote: >>>> Show the output with debugging enabled. Note that "localhost" is treated >>>> specially, and will be replaced by the local hostname instead of being used >>>> directly in the name comparison. >>> >>> Why that? I strongly dislike automagic things when doing security checks. >> >> Probably because "localhost" is useless in an actual cert from a remote >> server. > > Yes. But nothing prevents the client from providing the correct hostname.
Laziness, and the ubiquity of "localhost" in canned configs... >> This has been a feature of libldap since 2.1, so it's certainly >> nothing new. > You can blame me that I did not notice this feature before. Still I think > that's broken since libldap has to rely on a trustworthy name resolving then > instead of just comparing the inherently trusted user input against the cert's > CN attribute. Hmm, didn't we have this discussion before? I'm sure we have. Replacing "localhost" with the output of gethostname() is still inherently secure. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/