Hi! I tried the ldaps test with my ldaps server(compiled from openldap source code) and nginx with nginx-auth-ldap module.
I tried the ldap configureation in nginx.conf. The test is good.
I tried the ldaps configuration with url in domain name. The test is also good.
But if I changed the ldaps configuration with url in ip formate. The test is always failed.
my nginx.conf about ldaps server url part
url ldaps://192.168.0.133:636/dc=ipcamera,dc=com?uid?sub?(objectClass=*);
The following is of san in my server certificat.
X509v3 Subject Alternative Name:
DNS:green-3kl.com, IP Address:192.168.0.133
I traced the code.
I found maybe something wrong in function ngx_http_auth_ldap_ssl_handshake_handler().
There is one line in the function.
The return value of addr_verified seems always 0.
It makes the following if statement ,
if ( !(cert && addr_verified && chain_verified == X509_V_OK) )
alwsys get error message.
I think
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);
may cause something wrong.
x509_check_ip() will comapre cert's san name and the conn_sockaddr->sa_data,
to make sure the certificate is really for the ldaps server.
but type of conn_sockaddr is "struct socaddr"
The beginning of sockaddr->sa_data seems not ip address.
That's why always comparing result is different.
I think
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);
should change to
or
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data+2, len, 0);
because the ip address with 2 bytes shift from sa_data[0]
I am the new comer. Is there any one can double confirm my question?
Hi! I tried the ldaps test with my ldaps server(compiled from openldap source code) and nginx with nginx-auth-ldap module. I tried the ldap configureation in nginx.conf. The test is good. I tried the ldaps configuration with url in domain name. The test is also good. But if I changed the ldaps configuration with url in ip formate. The test is always failed.
my nginx.conf about ldaps server url part url ldaps://192.168.0.133:636/dc=ipcamera,dc=com?uid?sub?(objectClass=*);
The following is of san in my server certificat. X509v3 Subject Alternative Name: DNS:green-3kl.com, IP Address:192.168.0.133
I traced the code. I found maybe something wrong in function ngx_http_auth_ldap_ssl_handshake_handler(). There is one line in the function.
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);
The return value of addr_verified seems always 0. It makes the following if statement ,
if ( !(cert && addr_verified && chain_verified == X509_V_OK) ) alwsys get error message.
I think addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0); may cause something wrong.
x509_check_ip() will comapre cert's san name and the conn_sockaddr->sa_data, to make sure the certificate is really for the ldaps server.
but type of conn_sockaddr is "struct socaddr" The beginning of sockaddr->sa_data seems not ip address. That's why always comparing result is different.
I think addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0); should change to
struct sockaddr_in addr_in = (struct sockaddr_in )conn_sockaddr; const unsigned char ip_addr = (const unsigned char )&addr_in->sin_addr; addr_verified = X509_check_ip(cert, ip_addr, len, 0);
or addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data+2, len, 0); because the ip address with 2 bytes shift from sa_data[0]
I am the new comer. Is there any one can double confirm my question?