[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: OpenLDAP does not support * certs (ITS#2826)
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of quanah@stanford.edu
> Full_Name: Quanah Gibson-Mount
> Version: 2.1.23
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.19.82)
> Hello,
>
> We just got a *.stanford.edu cert to take care of various TLS
> problems we've run
> into with OpenLDAP and software load balancing. However, the
> TLS libraries
> return:
>
> ldapsearch -ZZZ -h ldap-test1.stanford.edu uid=quanah
>
> TLS: hostname (ldap-test1.stanford.edu) does not match common name in
> certificate (*.stanford.edu)
>
> TLS: hostname does not match CN in peer certificate
>
> Here is our * cert:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> c0:25:a6:07:bc:44:4f:17:5d:d9:38:c4:d9:20:b7:1d
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=GB, O=Comodo Limited, OU=Comodo Trust
> Network, OU=Terms and
> Conditions of use: http://www.comodo.net/repository,
> OU=(c)2002 Comodo Limited,
> CN=Comodo Class 3 Security Services CA
> Validity
> Not Before: Nov 12 00:00:00 2003 GMT
> Not After : Nov 11 23:59:59 2004 GMT
> Subject: C=US/2.5.4.17=94305, ST=California,
> L=Stanford/2.5.4.9=Polya
> Hall 251, O=Stanford University, OU=ITSS, OU=Issued through
> Stanford University
> E-PKI Manager, OU=PremiumSSL Wildcard, CN=*.stanford.edu
The rules for certificate usage don't allow wildcards in the Subject DN of a
cert. Wildcards are only allowed in subjectAltName extensions. (See RFC 2459,
wildcards are explicitly allowed in section 4.2.1.7 but are not mentioned at
all in section 4.1.2.6.)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support