[Date Prev][Date Next] [Chronological] [Thread] [Top]

subjectAltName in certificates (was: SSL certificates, kerberos keytabs, and load balancing)

To: Howard Chu <hyc@highlandsun.com>
Subject: subjectAltName in certificates (was: SSL certificates, kerberos keytabs, and load balancing)
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 13 Apr 2004 20:41:32 +0200
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-software@OpenLDAP.org
In-reply-to: <005401c42163$5c44d3f0$0e01a8c0@CELLO>
References: <m3fzb8e6jb.fsf@marin.l4b.de> <005401c42163$5c44d3f0$0e01a8c0@CELLO>

Howard Chu writes:
> The actual syntax in OpenSSL is
> 	subjectAltName=dnsName:ldap.example.com

If I read rfc2830 section 3.6 right, one must put the real hostname - or
something with '*' which matches it - as well as the 'ldap.example.com'
name in subjectAltName:dnsName, because if subjectAltName:dnsName
exists, that is to be used _instead_ of the hostname in the
certificate's CN, not in addition to the CN.

However, OpenLDAP 2.1 with OpenSSL 0.9.7 accepts a hostname which is
only in the CN and not in the existing subjectAltName:dnsName.

Is that an OpenLDAP bug, an OpenSSL bug, an rfc2830 bug, or a bug in my
understanding?

Example: <ldap/ldaps>://beeblebrox.uio.no/'s certificate has
CN=beeblebrox.uio.no and subjectAltName:dnsName=ldap.uio.no.
It can be used with either hostname.

-- 
Hallvard

References:
- Re: SSL certificates, kerberos keytabs, and load balancing
  - From: Dieter Kluenter <dieter@dkluenter.de>
- RE: SSL certificates, kerberos keytabs, and load balancing
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: Rejected NLS in DN
Next by Date: Multiple replicas
Index(es):
- Chronological
- Thread