[Date Prev][Date Next]
Re: (ITS#6838) TLS client will not accept certificate for 'localhost'
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6838) TLS client will not accept certificate for 'localhost'
- From: firstname.lastname@example.org
- Date: Fri, 18 Feb 2011 00:30:25 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: Andrew Findlay
> Version: 2.4.24
> OS: OpenSuSE 11.3
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (18.104.22.168)
> For various test and teaching purposes I have a set of OpenLDAP configs that run
> small servers intended for local access only. As I run these on a wide variety
> of machines and also give them to students to run on their own machines, all the
> LDAP clients are set up to access the servers via the loopback interface:
> typically ldap://localhost:1389/
> Some of the configs use TLS. I have a local CA which issues simple server certs,
> usually with 'CN=localhost' as part of the subject name. Since upgrading the OS
> and OpenLDAP version of my main test environment I find that TLS connections are
> My client scripts used to work: I think this was purely because earlier versions
> of the TLS client code were less careful about checking certificates.
> Specifically, the 'self signed certificate in certificate chain' error was not
> even reported unless client-side debugging was turned on.
Used to work - since when, what release, what else has changed since then?
I'll note that I just tested some localhost certs a few days ago and they were
fine, and the cert verification code hasn't changed in quite a long time.
(E.g., ITS#6711 the test setup there uses localhost with no problem.)
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/