Closed kxt closed 6 years ago
inejge
commented
6 years ago The requested hostname must be checked against the one in the presented server certificate. The check could be done with an IP address in theory, since there is an IP address option for X.509 SANs, but it's rarely used in practice and not recommended by, e.g., RFC 6125.
kxt
commented
6 years ago The referred RFC seems to apply to certificates issued by public issuers for public services, however most LDAP services are running on private networks, with private CA issuers, possibly issuing certificates for private IP addresses.
I don't think the LDAP library should do this kind of X509 (pre-)validation, such things should be deferred to the TLS implementation.
There is a check to disallow TLS connections.
I can't see the reason for not allowing TLS/StartTLS when accessing hosts by IP.