[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3158) ldapsearch does not match simple hostnames against fqdns in certificates

On Tue, Jan 04, 2005 at 11:55:58AM -0600, Chad Walstrom wrote:
> The private interface IP address does not resolve to the public host name, nor
> should it in our network setup.  The FQDN requirement fails in this
> environment.

Additionally, this throws off even the loopback interface  You have
to populate your /etc/hosts file with the public FQDN for each interface it's on
and do the same for every client on the private network (or implement a DNS
zone).  Again, a heavy-handed work-around for something that should be a
configurable option by the client.

If a Certificate is signed by a CA that is found in the CA path directory, then
why force the whole FQDN requirement?  It doesn't fit the model of SSL/TLS
certificate management.

Print a warning if you must, but don't disable client functionality by default.

Chad C. Walstrom <walst005@umn.edu>                   247 Gortner Hall
Asst. Director of IT                                Help: 612-625-9284
CBS Computing Services, UMN                        Phone: 612-624-2918