Re: Hostname does not match common name problem

[Michael Ströder <michael@stroeder.com>]

Sascha wrote:
> 
> I have a problem with an LDAP server that I need to connect to. I
> have the required certificate stored on the client but I am getting
> the following error message:
> 
> "TLS: hostname (A.xyz123.com) does not match common name in 
> certificate (*.xyz123.com)"

Personally I'm scared of accepting wildcard certs for security reasons.

> As far as I understand it, RFC4514 section 3.1.3 allows wildcards
> thus the connection should work, shouldn't it?

It's RFC 4513, section 3.1.3. And there it says:

   The server's identity may also be verified by comparing the reference
   identity to the Common Name (CN) [RFC4519] value in the leaf Relative
   Distinguished Name (RDN) of the subjectName field of the server's
   certificate.  This comparison is performed using the rules for
   comparison of DNS names in Section 3.1.3.1, below, with the exception
   that no wildcard matching is allowed.

So wildcard DNS names in CN is explicitly not allowed. You can try with
wildcard patterns in the subjectAltName cert extension.

> What is confusing me is that 
> 
> "openssl s_client -connect A.xyz123.com:636 -CAfile /etc/ssl/certs/rootca.cer" 
> 
> results in:
> 
> Verify return code: 0 (ok)
> 
> If I am not mistaken, openssl accepts the server based on the certificate but openldap does not.

It's up to a particular SSL/TLS client implementation on what it accepts.

Ciao, Michael.