[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS hostname check failure and subjectAltname extension
- To: openldap-technical@openldap.org
- Subject: TLS hostname check failure and subjectAltname extension
- From: Michael Ströder <michael@stroeder.com>
- Date: Thu, 12 Jan 2012 17:31:31 +0100
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1326385893; l=1139; s=domk; d=stroeder.de; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From: Date:X-RZG-CLASS-ID:X-RZG-AUTH; bh=MN9VhiaQfQxTq+73fKCUMBjGDug=; b=J7dc4+65K2dLsgi/GKhSb1Gxx3T5ehKdOX9YyFLOxpbBExoRjPgJL1XDdZ+5E5pvWu9 sIoZUjIql6u/ZgQiBpsap09RDTgu6AudlkplF+HMbnvT/Ikl7KyGSOcMj/ep8VoF+fSNF 1NGChkS8LprU8p3yGrkIbUi0qNWcEvYCd9Q=
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20111221 Firefox/9.0.1 SeaMonkey/2.6.1
HI!
We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked against
OpenSSL 1.0.0 libs shipped with RHEL.
(some names are consistently obfuscated herein to keep real names confidential)
Unfortunately we can't get StartTLS to work. It always fails:
# /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
# /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
But OpenSSL lists the (IMO correct) hostnames in the server's certificate:
---------------------------------- snip ----------------------------------
Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE
[..]
X509v3 Subject Alternative Name:
email:certificate@xxx.domain,
DNS:ldap.domain,
DNS:ldap-srv01.rz.domain,
DNS:ldap-srv02.rz.domain
---------------------------------- snip ----------------------------------
Is the hostname check confused by the email in the first subjectAltName
sequence value?
Ciao, Michael.