[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Some TLS questions

To: Jean-Rene Cormier <jean-rene.cormier@cipanb.ca>
Subject: Re: Some TLS questions
From: Donn Cave <donn@u.washington.edu>
Date: Wed, 21 Jul 2004 09:22:53 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <1090407832.18749.16.camel@forbidden.cipanb.ca>

On Wednesday, July 21, 2004, at 04:03 AM, Jean-Rene Cormier wrote:

Hi, I'm currently setting up a new OpenLDAP 2.1.29 server on FC2 and I
had some questions about TLS. I've set it up using a self signed CA and
it works when I do a simple bind (with the -ZZ option) using the FQDN,
if I use the IP address I get this error message:

ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate

Is there a way I can create the certificate so I can connect to the
server using different hostnames so I could use CNAMEs to make
openldap.mydomain.com point to hostname.mydomain.com?


Yes, you can put alternate host names in the "subjectAltName" field.
To make a request, I edit the SSL configuration file -
  req_extensions = v3_req
  ...
  [ v3_req ]
  subjectAltName = DNS: openldap.mydomain.com

So far, I have not seen any client object to this.

	Donn Cave, donn@u.washington.edu

References:
- Some TLS questions
  - From: Jean-Rene Cormier <jean-rene.cormier@cipanb.ca>

Prev by Date: slapd suddenly shuts down
Next by Date: RE: openldap up; can't db_stat
Index(es):
- Chronological
- Thread