mrc0mmand / rpms / openldap

Forked from rpms/openldap 3 years ago
Clone
Blob Blame History Raw
Do not check CN when checking SAN failed

This is to make it compliant with RFC 6125:
https://tools.ietf.org/html/rfc6125#section-6.4.4

Author: Matus Honek <mhonek@redhat.com>

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 92c708be0..46b48a3fb 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -675,11 +675,16 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 			GENERAL_NAMES_free(alt);
 			if (i < n) {	/* Found a match */
 				ret = LDAP_SUCCESS;
+			} else {	/* None matched */
+				Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match any "
+					"SAN in certificate.\n", 
+					name, NULL, NULL );
+				ret = LDAP_CONNECT_ERROR;
 			}
 		}
 	}
 
-	if (ret != LDAP_SUCCESS) {
+	if (ret == LDAP_LOCAL_ERROR) {
 		X509_NAME *xn;
 		X509_NAME_ENTRY *ne;
 		ASN1_OBJECT *obj;