ldaps:// ignores alternative DNS names / SNA (Subject Alternative Name) certs if hostname != CN name)

Nico Williams Nico.Williams at twosigma.com
Mon Feb 11 19:05:16 UTC 2019

On Sun, Feb 10, 2019 at 09:31:46PM -0800, Pallavi Sonal wrote:
> Please refer the release notes for JDK 8u181 at
> https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html ,
> there is a change to improve LDAP support and make it more secure. It is not
> possible now to establish an LDAPS connection to a server which presents a
> certificate whose CN or SAN  does not contain the requested host name. So,
> either the same host name should be used which is there in the certificate's
> CN or SAN or the certificate should be updated to have the matching hostname
> as in its CN or SAN. I have added the snippet from the release notes below
> for your reference  :

Heiko's post shows that the certificate had the correct hostname as a dNSName

Sounds like a bug to me, and a serious one at that.


More information about the security-dev mailing list