[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL problems, certificate missmatch



I found I have to start the server with:
-h "ldap:/// ldaps:///"
in order to get two listeners started. Check yours with the -d 9 debug
setting to see.

Then browse to https://host:636/ to get the certificate into a web browser
like netscape and ignore the "document has no content" message after the
certificate dialog.

LDAP Browser 2.8.2 asked if I wanted to accept the certificate after checking
the "Secure" check box. I suppose different clients will behave differently.

Leila Lappin wrote:
> 
> Hello,
> 
> I'm not passing hostname to ldapsearch becuase I have only the default
> hostnames (localhost.localadmin) setup.  I start the server passing -h
> "ldap:/// ldaps:///" which are supposed to use the default hostname.  So I
> can't see how I'm passing different hostnames.
> 
> I guess my problem is that I don't know where ldapsearch is getting the
> information for what certificate to use, if I knew that then I could copy
> the right certificate for it to use.  Any suggestions please?
> 
> ----- Original Message -----
> From: "Norbert Klasen" <norbert.klasen@daasi.de>
> To: "Leila Lappin" <galaxylappin@comcast.net>;
> <OpenLDAP-software@OpenLDAP.org>
> Sent: Friday, April 12, 2002 12:56 AM
> Subject: Re: SSL problems, certificate missmatch
> 
> >
> >
> > --On Freitag, 12. April 2002 01:43 -0700 Leila Lappin
> > <galaxylappin@comcast.net> wrote:
> >
> > > I came across this problem because when I do ldapsearch without -ZZ I
> get
> > > the data I'm expecting to see.  But when I do the same search with -ZZ
> > > option I only get "ldap_start_tls: Success" and no data.   I looked
> > > through diagnostics on the client side and saw an error with mismatched
> > > hostnames on certificates.  It's clear that two different certificates
> > > are being used by the client and server but why and how can I fix it?
> >
> > You need to use the hostname that is specified in the certificate (either
> > as CN attribute in the DN or as subjectAltName of type DNS) as the
> hostname
> > you connect to. If these two don't match, the connection is aborted
> because
> > this  mismatch could result from a Man-in-the-Middle attack.
> >
> > --
> > Norbert Klasen, Dipl.-Inform.
> > DAASI International GmbH                 phone: +49 7071 29 70336
> > Wilhelmstr. 106                          fax:   +49 7071 29 5114
> > 72074 Tübingen                           email: norbert.klasen@daasi.de
> > Germany                                  web:   http://www.daasi.de
> >
> >