[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems with multiple DNS names in cert.



This error is generated on the client, not the server. Run ldapsearch with
debugging enabled and look at the TLS verification messages to see what it's
doing. By the way, the cert verification code hasn't changed since 2.1.13...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mathias
> Meisfjordskar

> Greatings all.
>
> I got my OpenLDAP-server to accept TLS-enabled connections for
> different DNS-names a while ago. Today I tried to do the same with
> OpenLDAP 2.1.16, but it's not working.
>
> I've red the Admin manual, the FAQ, the man-pages and searched the
> mail-archive, but still no solution.
>
> ldap.conf:
> TLS_CACERT /ldap/etc/ldap-cert/w3_cacert.pem
>
> slapd.conf:
> # SSL/TLS
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /ldap/etc/ldap-cert/beeblebrox.uio.no.crt
> TLSCertificateKeyFile /ldap/etc/ldap-cert/beeblebrox.uio.no.key
> TLSCACertificateFile /ldap/etc/ldap-cert/w3_cacert.pem
>
> /ldap/etc/ldap-cert/beeblebrox.uio.no.crt:
>             X509v3 Subject Alternative Name:
>                 DNS:ldap.uio.no, DNS:bb.uio.no
>
> This was made using Howard Chu's recipe in the "Q: OpenLDAP In A
> 'Heartbeat' Cluster" thread. I have generated new certificates as
> well, but that didn't help either.
>
> There are no errors from slapd when importing the certs.
>
>
> beeblebrox.uio.no# /ldap/usr/bin/ldapsearch -x -h bb.uio.no
> -ZZ -s base > /dev/null
> ldap_start_tls: Connect error (91)
>         additional info: TLS: hostname does not match CN in
> peer certificate
> beeblebrox.uio.no# /ldap/usr/bin/ldapsearch -x -h
> beeblebrox.uio.no -ZZ -s base > /dev/null
> beeblebrox.uio.no#
>
> Both show the same result(without the pipe), but the first shouldn't
> give me an error.
>
>
> In the slapd logfile I find:
> ldap_read: want=9 error=Resource temporarily unavailable
> ber_get_next on fd 13 failed errno=11 (Resource temporarily
> unavailable)
> ...
> tls_read: want=5 error=Resource temporarily unavailable
> ...
> connection_read(13): unable to get TLS client DN error=49 id=0
> ...
> tls_read: want=5 error=Resource temporarily unavailable
> ldap_read: want=9 error=Resource temporarily unavailable
> ber_get_next on fd 13 failed errno=11 (Resource temporarily
> unavailable)
>
>
> I've also tried with other machines and other versions of OpenLDAP,
> but no solution.
>
>
> Does anyone know what the problem is?
>
> --
> Regards,
> Mathias Meisfjordskar
> GNU/Linux addict.
>
> "If it works; HIT IT AGAIN!"
>