[Date Prev][Date Next]
Re: SSL problems, certificate missmatch
I'm not passing hostname to ldapsearch becuase I have only the default
hostnames (localhost.localadmin) setup. I start the server passing -h
"ldap:/// ldaps:///" which are supposed to use the default hostname. So I
can't see how I'm passing different hostnames.
I guess my problem is that I don't know where ldapsearch is getting the
information for what certificate to use, if I knew that then I could copy
the right certificate for it to use. Any suggestions please?
----- Original Message -----
From: "Norbert Klasen" <firstname.lastname@example.org>
To: "Leila Lappin" <email@example.com>;
Sent: Friday, April 12, 2002 12:56 AM
Subject: Re: SSL problems, certificate missmatch
> --On Freitag, 12. April 2002 01:43 -0700 Leila Lappin
> <firstname.lastname@example.org> wrote:
> > I came across this problem because when I do ldapsearch without -ZZ I
> > the data I'm expecting to see. But when I do the same search with -ZZ
> > option I only get "ldap_start_tls: Success" and no data. I looked
> > through diagnostics on the client side and saw an error with mismatched
> > hostnames on certificates. It's clear that two different certificates
> > are being used by the client and server but why and how can I fix it?
> You need to use the hostname that is specified in the certificate (either
> as CN attribute in the DN or as subjectAltName of type DNS) as the
> you connect to. If these two don't match, the connection is aborted
> this mismatch could result from a Man-in-the-Middle attack.
> Norbert Klasen, Dipl.-Inform.
> DAASI International GmbH phone: +49 7071 29 70336
> Wilhelmstr. 106 fax: +49 7071 29 5114
> 72074 Tübingen email: email@example.com
> Germany web: http://www.daasi.de