[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: certificate warnings

To: "Brett @Google" <brett.maxfield@gmail.com>
Subject: Re: certificate warnings
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Tue, 16 Mar 2010 13:09:32 -0700
Cc: openldap-software@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=spork.dkim; t=1268770173; bh=iG4Z7jI85FG4XEaF9DasBYvQGmbfUBgiNbS7 x+FrZuU=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID: References:MIME-Version:Content-Type; b=XXtROy7TynSZRfUc2Rn7ChiNcj E7wa/+tgKfu9x0gS5aw8whFuqsEM2D2hs9cMWg9rzaE50KiFgVaJ324xVFouPFNcmrX ZIFu8av/Etzf6Y0PNq+SupmtzAaYDZ6CX6HlNVvlNlRGgICWghcK6VWwriNxAiVcij9 tqD2wPgkZPE=
In-reply-to: <e021c7c01003160245i4508deb3heb5e29721c417133@mail.gmail.com>
References: <e021c7c01003160245i4508deb3heb5e29721c417133@mail.gmail.com>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Tue, 16 Mar 2010, Brett @Google wrote:
> Is there any way of supressing the SSL warning/error "TLS: hostname 
> (XXXXX) does not match common name in certificate" for a syncrepl 
> client?
> 
> This error is being returned by a syncrepl client which is negotiating 
> SSL talking to a syncrepl server by using it's (actual / real) server 
> name, but as the server name returns a certificate based on its 
> (external / content switch) server name, the ssl library on the client 
> waits for a randomly long time, and then returns the error above as the 
> cert returned does not exactly match the hostname configured in the 
> provider="" line, in the syncrepl client configuration.

Right answer: give (each) server a cert which has a subjectAltName 
extension that includes its real name.

> If it's indeed a warning, then the sycrepl client should ignore it, but 
> it does not, so effectively it is an error as it causes the syncrepl 
> client to abort it's connection.

I-Don't-Really-Care-About-Security Answer: set the tls_reqcert suboption 
on the syncrepl option to disable checking of connected to URL against the 
returned certificate's names.  Or, the better way to do that (but still 
insecure) is to configure it to use an anonymous cipher-suite, thereby 
saving a bunch of crypto during TLS handshakes.

Philip Guenther

References:
- certificate warnings
  - From: "Brett @Google" <brett.maxfield@gmail.com>

Prev by Date: Re: certificate warnings
Next by Date: Re: certificate warnings
Index(es):
- Chronological
- Thread