In session_chkhost get the last CN, not the first.

[openldap] / libraries / libldap / tls_g.c

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index e3c82bbc6f6f68fe1c2e9d3d884e1b8553b408e4..9313bfbf7cf37aff63d2bdd4300f4037878b7ead 100644 (file)
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -722,9 +722,24 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
        if ( ret >= 0 ) {
                ret = LDAP_SUCCESS;
        } else {
-               altnamesize = sizeof(altname);
-               ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
-                       0, 0, altname, &altnamesize );
+               /* find the last CN */
+               i=0;
+               do {
+                       altnamesize = 0;
+                       ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
+                               i, 1, altname, &altnamesize );
+                       if ( ret == GNUTLS_E_SHORT_MEMORY_BUFFER )
+                               i++;
+                       else
+                               break;
+               } while ( 1 );
+
+               if ( i ) {
+                       altnamesize = sizeof(altname);
+                       ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
+                               i-1, 0, altname, &altnamesize );
+               }
+
                if ( ret < 0 ) {
                        Debug( LDAP_DEBUG_ANY,
                                "TLS: unable to get common name from peer certificate.\n",