[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multi-homed machine and TLS



On Wednesday 15 September 2004 08:33, Imobach González Sosa wrote:
> El Miércoles, 15 de Septiembre de 2004 13:16, Imobach González Sosa
> escribió:
>
> Ok, I know that only saying "it doesn't work" you could not help me much
> ;)... so, here we go with some debugging output from ldapsearch (with -d1
> flag):
>
> ######### Debug Begins
>
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 0, subject: /C=ES/ST=My
> Province/L=My
> City/O=ULPGC/OU=SIC/CN=ldap2.my.domain/emailAddress=hostmaster@my.domain,
> issuer: /C=ES/ST=My Province/L=My
> City/O=ULPGC/OU=SIC/CN=ldap2.my.domain/emailAddress=hostmaster@my.domain
> TLS certificate verification: depth: 0, err: 0, subject: /C=ES/ST=My
> Province/L=My
> City/O=ULPGC/OU=SIC/CN=cname.my.domain/emailAddress=hostmaster@my.domain/su
>bjectAltName=DNS:ldap2.sub.my.domain,DNS:ldap2.my.domain, issuer:
> /C=ES/ST=My Province/L=My
> City/O=ULPGC/OU=SIC/CN=ldap2.my.domain/emailAddress=hostmaster@my.domain
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:SSLv3 read finished A
> TLS: hostname (ldap2.sub.my.domain) does not match common name in
> certificate (cname.my.domain).
> ldap_perror
> ldap_start_tls: Connect error (-11)
>     additional info: TLS: hostname does not match CN in peer certificate
>
> ######### Debug Ends
>
> Thank you all.

Looks like you put subjectAltName as a part of the subject. That's not gonna 
work! The subjectAltName is a X509v3 EXTENSION! It has to go into the 
extension section of the certificate. If you generate the certificate you 
specify an extension section in the CA section of your openssl.conf (if 
you're using openssl). For example:

[ myCA ]

...
x509_extensions = myextensions

[ myextensions ]

subjectAltName          = DNS:whatever.sub.my.domain, DNS:somethingmore


Karsten.
-- 
The Official MBA Handbook on business cards:
	Avoid overly pretentious job titles such as "Lord of the Realm,
Defender of the Faith, Emperor of India" or "Director of Corporate
Planning."