[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6838) TLS client will not accept certificate for 'localhost'

andrew.findlay@skills-1st.co.uk wrote:
> Full_Name: Andrew Findlay
> Version: 2.4.24
> OS: OpenSuSE 11.3
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> For various test and teaching purposes I have a set of OpenLDAP configs that run
> small servers intended for local access only. As I run these on a wide variety
> of machines and also give them to students to run on their own machines, all the
> LDAP clients are set up to access the servers via the loopback interface:
> typically ldap://localhost:1389/
> Some of the configs use TLS. I have a local CA which issues simple server certs,
> usually with 'CN=localhost' as part of the subject name. Since upgrading the OS
> and OpenLDAP version of my main test environment I find that TLS connections are
> failing:

> My client scripts used to work: I think this was purely because earlier versions
> of the TLS client code were less careful about checking certificates.
> Specifically, the 'self signed certificate in certificate chain' error was not
> even reported unless client-side debugging was turned on.

Used to work - since when, what release, what else has changed since then? 
I'll note that I just tested some localhost certs a few days ago and they were 
fine, and the cert verification code hasn't changed in quite a long time.

(E.g., ITS#6711 the test setup there uses localhost with no problem.)

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/