[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
From: hyc@symas.com
Date: Fri, 10 May 2019 20:53:24 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

darshankmistry@yahoo.com wrote:
> ------=_Part_545863_1662769086.1557520342175
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> thank you very much for quick response and openldap behavior configuration.=
> =C2=A0
> how we can ignore to look server name in subject of certificate so I can us=
> e LDAP server ip address instead of host name?=C2=A0
> Also want to know if there is any open CVE which says it is vulnerabilities=
>  to use LDAP server ip address instead of name in ldap configuration.=C2=A0

Add the IP address in a subjectALternativeName extension to your server certificate.

The behavior here is specified in RFC4513.
> 
> 
> Thank you,
> Darshankumar Mistry
> darshankmistry@yahoo.com
> =20
> 
>     On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <quanah@s=
> ymas.com> wrote: =20
> =20
>  --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry@yahoo.com wrote:
> 
>> Full_Name: Darshankumar Mistry
>> Version:
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)
>>
>>
>> I would like to know why Open LDAP behavior was changed where we must
>> have to configure FQDN name mentioned in certificate in order to work LDA=
> P
>> authentication... else TLS start failing.
> 
> OpenLDAP has worked this way since I first started using it in 2002.=C2=A0 =
> This=20
> behavior is nothing new.=C2=A0 And this is the correct behavior.
> 
> This ITS will be closed.
> 
> --Quanah
> 
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
> 
>  =20
> ------=_Part_545863_1662769086.1557520342175
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <html><head></head><body><div class=3D"ydpf9876065yahoo-style-wrap" style=
> =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t=
> hank you very much for quick response and openldap behavior configuration.&=
> nbsp;</div><div><br></div><div>how we can ignore to look server name in sub=
> ject of certificate so I can use LDAP server ip address instead of host nam=
> e?&nbsp;</div><div><br></div><div>Also want to know if there is any open CV=
> E which says it is vulnerabilities to use LDAP server ip address instead of=
>  name in ldap configuration.&nbsp;</div><div><br></div><div><br></div><div>=
> <br></div><div class=3D"ydpf9876065signature"><div><span class=3D"ydpf98760=
> 65yui_3_7_2_102_1375813203128_121" style=3D"font-family:arial, sans-serif;c=
> olor:rgb(80, 0, 80);">Thank you,</span><br class=3D"ydpf9876065yui_3_7_2_10=
> 2_1375813203128_122" style=3D"font-family:arial, sans-serif;color:rgb(80, 0=
> , 80);"><span class=3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D=
> "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry</=
> span><br class=3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D"font=
> -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D"mailto:darshank=
> mistry@yahoo.com" class=3D"ydpf9876065yui_3_7_2_102_1375813203128_125" styl=
> e=3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D"nofollow=
> " target=3D"_blank">darshankmistry@yahoo.com</a><br></div></div></div>
>         <div><br></div><div><br></div>
>        =20
>         </div><div id=3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D"ydpb3=
> d55fc2yahoo_quoted">
>             <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s=
> ans-serif;font-size:13px;color:#26282a;">
>                =20
>                 <div>
>                     On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson=
> -Mount &lt;quanah@symas.com&gt; wrote:
>                 </div>
>                 <div><br></div>
>                 <div><br></div>
>                 <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href=3D"mai=
> lto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmi=
> stry@yahoo.com</a> wrote:<br><br>&gt; Full_Name: Darshankumar Mistry<br>&gt=
> ; Version:<br>&gt; OS:<br>&gt; URL: <a href=3D"ftp://ftp.openldap.org/incom=
> ing/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</=
> a><br>&gt; Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b=
> r>&gt;<br>&gt;<br>&gt; I would like to know why Open LDAP behavior was chan=
> ged where we must<br>&gt; have to configure FQDN name mentioned in certific=
> ate in order to work LDAP<br>&gt; authentication... else TLS start failing.=
> <br><br>OpenLDAP has worked this way since I first started using it in 2002=
> .&nbsp; This <br>behavior is nothing new.&nbsp; And this is the correct beh=
> avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><br=
>> Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Packaged,=
>  certified, and supported LDAP solutions powered by OpenLDAP:<br>&lt;<a hre=
> f=3D"http://www.symas.com"; rel=3D"nofollow" target=3D"_blank">http://www.sy=
> mas.com</a>&gt;<br><br></div>
>             </div>
>         </div></body></html>
> ------=_Part_545863_1662769086.1557520342175--
> 
> 
> 
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
Next by Date: Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
Index(es):
- Chronological
- Thread