[Date Prev][Date Next]
Re: TLS fails
At 03:41 PM 2/15/2006, Quanah Gibson-Mount wrote:
>On Wednesday 15 February 2006 15:40, Jon Roberts wrote:
>> Quanah Gibson-Mount wrote:
>> > On Wednesday 15 February 2006 14:23, Ran Li wrote:
>> >>>>The funny thing is, TLS works fine from a remote host, but not on the
>> >>server itself. I tried changing localhost to the actual DNS name of the
>> >>server, but still I get the same error.
>> >>is the ldap server a ldap client? my understanding is it has to be a
>> >>ldap client in order to make ldapsearch over tls work.
>> > You have to use the name in your search that matches the name in the
>> > certificate for TLS to work.
>> In JLDAP clients I can connect to a remote ldaps server by using the ip
>> address as hostname, even though I obviously did not use the ip as the
>> name in the certificate. Is that advice specific to ldapsearch,
>> StartTLS, or something else I might be confused about?
>I'm guessing that JLDAP translates the IP address to the FQDN.
Which is counter to both general and LDAP-specific
TLS certificate verification rules. One shouldn't
trust DNS. Sounds like a JLDAP bug to me.
>ldapsearch -ZZZ -h 220.127.116.11 uid=quanah uid
>ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
>routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Assuming the certificate doesn't list the
IP address 18.104.22.168 as a alternative subject
name (which ldapsearch(1) should check), correct.