[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perplexed

fre, 2002-08-09 kl. 18:20 skrev Tony Earnshaw:

> "Never use IP numbers for hostnames, always use FQDNs". Well, for me
> TLS/SSL only works with my IP number (, not localhost. or
> 'uname -n' - the FQDN "billy.demon.nl".

Solved this one, anyway :-)

Lack of experience with on my part:

Whatever /etc/ldap has as "host" under
"# Your LDAP server. Must be resolvable without using LDAP." counts. If
it's present there, any entry in ~/.ldaprc etc. is ignored.

If the entry is "host", then only certificates with
"CN=" will be accepted. If the entry is "host localhost", only
certificates with "CN=localhost" will be accepted.

Both "work" if one has certificates for them. I have my own CA (self
made) to sign my own certificate requests. The CA certificat MUST be
included in /etc/ldap.conf (if that's what one's using) and MUST be
readable by everyone. The signed certificate and key should only be
readable by the slapd user, in my gase uid=ldap, gid=ldap. And root, of

Using a combined signed certificate/key in one file as suggested by some
constitutes a huge security hole, since that file must be fully readable
by everyone.

In my case (linux RH 7.2 with resolver libs and libc dated April 2002),
irrespective of the fact that I have "order hosts,bind" in
/etc/host.conf , the resolver goes to the DNS server on my machine
first, where my server is authoritative for the zone "localhost." .

As I don't do DNS for "FQDN billy.demon.nl" (my ISP does that and has
given me a static IP number), I only run caching DNS. When I'm not using
ppp0, I have no possibility of using my Internet IP number for
billy.demon.nl as a "hook" for my hostname, so I _have_ to use

Openssl/ldap/Linux give you a wealth of tools for finding out exactly
what is happening and why. I used:

slapd -h ldaps:/// -d5
strace (for ex. 'strace getent passwd tonni") in an xterm that one can
scroll right back in)
openssl x509 -in localhost openssl x509 -in localhostSignedcert.pem
openssl s_client -connect localhost:636 -showcerts -ssl3

Hope this can be of help to anyone experiencing "strange happenings with
certificates" later ...




Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel