[Date Prev][Date Next]
Re: OL, SSL/TLS, and load balancing
On Monday, May 3, 2004, at 11:28 AM, Quanah Gibson-Mount wrote:
In working with OpenLDAP, and trying to maintain a load-balanced pool
of servers which can be made available to campus, I've run into an
issue when wanting to use/enable SSL and/or TLS. The main issue comes
down to how SSL/TLS handling is done in OpenLDAP. In general, the
cert DN must match the servername.
When you use a software load balancer, this breaks client negotiated
SSL/TLS, in that a bind to "ldap.stanford.edu" will come back with a
bind to "ldap6.stanford.edu". Since "ldap.stanford.edu" !=
"ldap6.stanford.edu", the bind will fail.
When you use a hardware load balance, this will break SSL/TLS
encrypted replication, since doing an update to "ldap6.stanford.edu"
will return a cert of "ldap.stanford.edu".
One fix for this would be using a star cert, with "ldap.stanford.edu"
in the subjectAltName. However, I cannot find a cert vendor (which,
for the time being, I must use) that will issue this. The closest I
can get is a cert with "*.stanford.edu" in the DN field. However, the
RFC discussing star certs only mentions them being present in the
subjectAltName field, which means that cert is rejected. On the other
hand, ever other application and client we've used this cert with
accepts it as valid -- It is only OL that is being picky about the RFC
Our HTTP service is software load balanced, and seems to manage
without wildcards. I believe the server is configured with its
hostname for SSL, separately from its hostname for TCP bind.
That would make direct access via the canonical host name difficult,
unless you wanted to use a separate non-standard service port for it.
If it's feasible - if you have full control over development or
deployment of the client software - I would think about resolving
the address ahead of time and never letting SSL hear about
If you verify that the canonical host is a reasonably likely cluster
member, I don't think this would compromise security, but I'm not an
We also use wildcard certificates (for IMAP/POP), and that isn't fun.
Vendors want to make sure the wildcard isn't cutting into their revenue
stream by letting you secure your whole site on one certificate. I
would be sorry to see this become the standard route to dealing with
load balancing (which I should be looking into myself - already have
the load balance name, so the next step is to make it work.)
Donn Cave, firstname.lastname@example.org