Re: load balancer with SSL

["Jeremiah Martell" <inlovewithgod@gmail.com>]

> >
> > Jeremiah,
> >
> > I did the test with TLS_REQCERT set to 'allow' and got the same result
> > as you. I am not sure what they mean by 'bad certificate' in the manual
> > page of 'ldap.conf'.
> >
>
> Generally a bad certificate means a certificate whose signature cannot
> be verified by the SSL library, or a missing certificate. If a
> certificate is provided and the SSL library can verify it, then it will
> be used. If the hostname doesn't match, the connection will fail. I.e.,
> hostname matches are never ignored once the certificate is verified. For
> a load balancing situation you must use subjectAltName's with the
> relevant names, that's all there is to it.
>
> --
>   -- Howard Chu
>   Chief Architect, Symas Corp.  http://www.symas.com
>   Director, Highland Sun        http://highlandsun.com/hyc
>   OpenLDAP Core Team            http://www.openldap.org/project/


Howard Chu,

  Sorry to resurrect this thread after so many months. I have a
question as to why if I put in "TLS_REQCERT never" in my ldap.conf,
openldap does any actions with any certificates. It seems to me from
the man for ldap.conf, that never causes "The client will not request
or check any server certificate."

  In my instance (I still haven't solved this problem), I put in
"TLS_REQCERT never" in my ldap.conf, but still get this error from
openldap:

TLS: hostname (loadbalancer.example.com) does not match common name in
certificate (server1.example.com).

  Your thoughts?

  Thanks,
- Jeremiah