Re: load balancer with SSL

[Howard Chu <hyc@symas.com>]

Aaron Richton wrote:
> I don't see this...

You're seeing the correct behavior; libldap was changed along these 
lines back in April 2003. If someone is trying this and getting a 
different behavior they must be using a very very old library.

> [put NotTheCert in /etc/hosts]
>
> $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/"; 
> '(doesnt=exist)'
> No such object (32)
> $ ed ldap.conf
> 633
> 1,$s/never/demand/p
> TLS_REQCERT     demand
> w
> 634
> q
> $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/"; 
> '(doesnt=exist)'
> ldap_start_tls: Connect error (-11)
>         additional info: TLS: hostname does not match CN in peer 
> certificate
>
> Certainly appears to instigate different behavior to me.
>
> However, the whole point of the load balancer is to make everything look 
> the same. Toward that end, why would you want server1 and server2 to 
> look different--might as well lose the load balancer at that point. With 
> the load balancer, either use subjectAltNames, or just get a cert for 
> "loadbalancer.example.com" and use that. We do the latter; I don't 
> *want* the users to see that they're connected to server1 or server2 or....

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/