Re: TLS fails

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:41 PM 2/15/2006, Quanah Gibson-Mount wrote:
>On Wednesday 15 February 2006 15:40, Jon Roberts wrote:
>> Quanah Gibson-Mount wrote:
>> > On Wednesday 15 February 2006 14:23, Ran Li wrote:
>> >>>>The funny thing is, TLS works fine from a remote host, but not on the
>> >>
>> >>server itself. I tried changing localhost to the actual DNS name of the
>> >>server, but still I get the same error.
>> >>is the ldap server a ldap client? my understanding is it has to be a
>> >>ldap client in order to make ldapsearch over tls work.
>> >
>> > You have to use the name in your search that matches the name in the
>> > certificate for TLS to work.
>>
>> In JLDAP clients I can connect to a remote ldaps server by using the ip
>> address as hostname, even though I obviously did not use the ip as the
>> name in the certificate. Is that advice specific to ldapsearch,
>> StartTLS, or something else I might be confused about?
>
>I'm guessing that JLDAP translates the IP address to the FQDN.

Which is counter to both general and LDAP-specific
TLS certificate verification rules.  One shouldn't
trust DNS.  Sounds like a JLDAP bug to me.

>ldapsearch -ZZZ -h 171.67.16.11 uid=quanah uid
>ldap_start_tls: Connect error (-11)
>        additional info: error:14090086:SSL 
>routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Assuming the certificate doesn't list the
IP address 171.67.16.11 as a alternative subject
name (which ldapsearch(1) should check), correct.    

Kurt