[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: start_tls: connect error
Howard Chu <hyc@symas.com> writes:
> Dieter Kluenter wrote:
>> Hi,
>> I just wonder whether this is a bug in openSSL or in openLDAP, anyhow
>> the subjectAltName attribute values are nor honoured.
>> openssl-0.9.8k-3.5.3.x86_64
>> openldap-2.4.21
>>
>> ldapwhoami -Y EXTERNAL -ZZ -H ldap://localhost
>> ldap_start_tls: Connect error (-11)
>> additional info: TLS: hostname does not match CN in peer certificate
>>
>> openssl x509 -in cert.pem -noout -text
>> Subject: C=DE, L=Hamburg, O=AVCI, OU=Certificate Authority, CN=rubin.avci.de/emailAddress=hdk@dkluenter.de
>> ...
>> X509v3 Subject Alternative Name:
>> DNS:localhost, DNS:ldap.xxxx.de, DNS:dkluenter.xxxx.org
>>
>> Not to mention that this is OK with other versions of openldap and
>> openssl.
[...]
> Show the output with debugging enabled. Note that "localhost" is treated
> specially, and will be replaced by the local hostname instead of being used
> directly in the name comparison.
Found the culprit. As usual it is my beloved Yast :-)
This is a new setup of openSUSE-11.2, /etc/hosts has following
entries:
127.0.0.1 localhost
::1 localhost ipv6-localhost ipv6-loopback
[ more ipv6 entries ]
127.0.0.2 rubin rubin
192.168.100.16 rubin.avci.de rubin
[ more entries ]
removing the 127.0.0.2 entry solved ist.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E