[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL problems, certificate missmatch
Hello,
I'm not passing hostname to ldapsearch becuase I have only the default
hostnames (localhost.localadmin) setup. I start the server passing -h
"ldap:/// ldaps:///" which are supposed to use the default hostname. So I
can't see how I'm passing different hostnames.
I guess my problem is that I don't know where ldapsearch is getting the
information for what certificate to use, if I knew that then I could copy
the right certificate for it to use. Any suggestions please?
----- Original Message -----
From: "Norbert Klasen" <norbert.klasen@daasi.de>
To: "Leila Lappin" <galaxylappin@comcast.net>;
<OpenLDAP-software@OpenLDAP.org>
Sent: Friday, April 12, 2002 12:56 AM
Subject: Re: SSL problems, certificate missmatch
>
>
> --On Freitag, 12. April 2002 01:43 -0700 Leila Lappin
> <galaxylappin@comcast.net> wrote:
>
> > I came across this problem because when I do ldapsearch without -ZZ I
get
> > the data I'm expecting to see. But when I do the same search with -ZZ
> > option I only get "ldap_start_tls: Success" and no data. I looked
> > through diagnostics on the client side and saw an error with mismatched
> > hostnames on certificates. It's clear that two different certificates
> > are being used by the client and server but why and how can I fix it?
>
> You need to use the hostname that is specified in the certificate (either
> as CN attribute in the DN or as subjectAltName of type DNS) as the
hostname
> you connect to. If these two don't match, the connection is aborted
because
> this mismatch could result from a Man-in-the-Middle attack.
>
> --
> Norbert Klasen, Dipl.-Inform.
> DAASI International GmbH phone: +49 7071 29 70336
> Wilhelmstr. 106 fax: +49 7071 29 5114
> 72074 Tübingen email: norbert.klasen@daasi.de
> Germany web: http://www.daasi.de
>
>