[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OL, SSL/TLS, and load balancing

On Monday, May 3, 2004, at 11:28 AM, Quanah Gibson-Mount wrote:
In working with OpenLDAP, and trying to maintain a load-balanced pool of servers which can be made available to campus, I've run into an issue when wanting to use/enable SSL and/or TLS. The main issue comes down to how SSL/TLS handling is done in OpenLDAP. In general, the cert DN must match the servername.

When you use a software load balancer, this breaks client negotiated SSL/TLS, in that a bind to "ldap.stanford.edu" will come back with a bind to "ldap6.stanford.edu". Since "ldap.stanford.edu" != "ldap6.stanford.edu", the bind will fail.

When you use a hardware load balance, this will break SSL/TLS encrypted replication, since doing an update to "ldap6.stanford.edu" will return a cert of "ldap.stanford.edu".

One fix for this would be using a star cert, with "ldap.stanford.edu" in the subjectAltName. However, I cannot find a cert vendor (which, for the time being, I must use) that will issue this. The closest I can get is a cert with "*.stanford.edu" in the DN field. However, the RFC discussing star certs only mentions them being present in the subjectAltName field, which means that cert is rejected. On the other hand, ever other application and client we've used this cert with accepts it as valid -- It is only OL that is being picky about the RFC here.

Our HTTP service is software load balanced, and seems to manage without wildcards. I believe the server is configured with its hostname for SSL, separately from its hostname for TCP bind. That would make direct access via the canonical host name difficult, unless you wanted to use a separate non-standard service port for it.

If it's feasible - if you have full control over development or
deployment of the client software - I would think about resolving
the address ahead of time and never letting SSL hear about ldap.stanford.edu.
If you verify that the canonical host is a reasonably likely cluster
member, I don't think this would compromise security, but I'm not an
SSL whiz.

We also use wildcard certificates (for IMAP/POP), and that isn't fun.
Vendors want to make sure the wildcard isn't cutting into their revenue
stream by letting you secure your whole site on one certificate.  I
would be sorry to see this become the standard route to dealing with
load balancing (which I should be looking into myself - already have
the load balance name, so the next step is to make it work.)

	Donn Cave, donn@u.washington.edu