OpenLDAP library, libldap, fails to strictly follow RFC 6125 during certificate validation. During certificate validation, a client matches the server's name against the Common Name identifier when other non-matching identifiers are present. This is explicitly denied in RFC 6125 (section 6.4.4, Checking of Common Names) : ``` As noted, a client MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client. ``` This may help an attacker to force a client to consider a specially crafted certificate as valid, which could be used for a Person in the Middle attack.
Acknowledgments: Name: Jakub Hrozek, Christian Heimes
In RHEL-8, this was fixed in openldap-2.4.46-10.el8
External References: https://bugzilla.redhat.com/show_bug.cgi?id=1740070
related bugs : original fix : https://bugzilla.redhat.com/show_bug.cgi?id=1740070 regression fixes for the above : https://bugzilla.redhat.com/show_bug.cgi?id=1788572 https://bugzilla.redhat.com/show_bug.cgi?id=1814674