OpenLDAP does not support * certs (ITS#2826)

[quanah@stanford.edu]

Full_Name: Quanah Gibson-Mount
Version: 2.1.23
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.64.19.82)


Hello,

We just got a *.stanford.edu cert to take care of various TLS problems we've run
into with OpenLDAP and software load balancing.  However, the TLS libraries
return:

ldapsearch -ZZZ -h ldap-test1.stanford.edu  uid=quanah

TLS: hostname (ldap-test1.stanford.edu) does not match common name in
certificate (*.stanford.edu)

TLS: hostname does not match CN in peer certificate

Here is our * cert:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c0:25:a6:07:bc:44:4f:17:5d:d9:38:c4:d9:20:b7:1d
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, O=Comodo Limited, OU=Comodo Trust Network, OU=Terms and
Conditions of use: http://www.comodo.net/repository, OU=(c)2002 Comodo Limited,
CN=Comodo Class 3 Security Services CA
        Validity
            Not Before: Nov 12 00:00:00 2003 GMT
            Not After : Nov 11 23:59:59 2004 GMT
        Subject: C=US/2.5.4.17=94305, ST=California, L=Stanford/2.5.4.9=Polya
Hall 251, O=Stanford University, OU=ITSS, OU=Issued through Stanford University
E-PKI Manager, OU=PremiumSSL Wildcard, CN=*.stanford.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:db:b8:fd:66:c5:22:8f:eb:d3:97:f5:a0:80:b2:
                    95:4d:fa:42:aa:28:c4:cd:25:ba:9c:48:6f:a1:fb:
                    07:bd:62:6c:3b:26:b5:4a:43:e0:48:2b:04:ea:45:
                    be:c0:9b:4e:8f:38:33:ed:87:73:b4:94:4e:a6:aa:
                    7c:b1:14:af:f8:36:09:52:b8:83:95:f5:83:ba:9d:
                    27:e0:2d:06:fc:ac:b8:5a:71:c3:ad:02:a9:d6:6b:
                    0c:73:5b:f1:74:42:8f:81:e6:e9:07:24:8f:2d:ac:
                    37:c2:36:a3:73:2b:84:79:2d:1f:d4:5c:8c:65:f7:
                    6e:ea:0a:33:a6:e9:0b:c0:73
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
            keyid:F6:52:22:17:15:13:08:03:59:BF:18:95:9F:48:B4:B9:E9:FE:F8:66

            X509v3 Subject Key Identifier: 
            8D:C5:63:81:39:AA:83:39:37:6C:DE:C2:E9:C7:8D:A6:CD:B7:FF:52
            X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
            CA:FALSE
            X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
              CPS: https://secure.comodo.net/CPS

            X509v3 CRL Distribution Points: 
            URI:http://crl.comodo.net/Class3SecurityServices_2.crl
            URI:http://crl.comodoca.com/Class3SecurityServices_2.crl
            email:Class3SecurityServices_2@crl.comodo.net

            Netscape Cert Type: 
            SSL Client, SSL Server
    Signature Algorithm: sha1WithRSAEncryption
        1f:84:5b:d0:87:08:29:2a:e5:68:00:5c:10:11:58:c6:2a:c8:
        c8:72:b0:1b:a4:72:a2:55:6e:1a:d4:eb:2e:da:61:41:fa:05:
        e2:43:95:6b:3b:19:eb:bb:26:30:32:62:9a:97:c8:52:a5:04:
        a9:ff:6a:c0:24:3e:09:d2:55:a4:e2:ec:d9:c4:a3:fa:38:fe:
        67:0a:65:1e:6e:d0:6b:de:ed:a6:3e:99:a9:79:e7:1c:05:0f:
        dd:60:a1:fa:2a:5d:11:cb:ef:1a:7a:91:d1:ca:1b:cf:06:0d:
        b4:7f:47:46:5a:bb:c7:8a:7a:38:20:a4:24:6f:f3:fb:75:8b:
        58:8a:bf:30:ff:49:95:45:cf:7e:16:f9:ac:12:6e:44:8d:b8:
        ed:64:37:a3:d2:36:5c:7c:70:0c:c6:b7:76:3f:b1:25:10:9e:
        05:07:78:ab:de:98:96:59:cb:ce:00:3f:1b:11:6c:ed:97:6a:
        fc:60:09:12:7e:a9:52:79:7f:8b:5f:c7:69:b9:63:e0:4a:d2:
        f9:6d:4c:2e:0d:f8:e7:14:ae:24:9d:e8:70:d3:a9:05:7a:09:
        d2:9a:06:92:90:4b:f2:87:4d:58:bc:7a:b4:b7:dd:2b:fa:ff:
        14:69:54:ec:48:54:84:13:02:00:f8:38:e9:89:52:8f:98:e6:
        d7:2c:49:e1