[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: load balancer with SSL

My ldap.conf(5) man page says:

"If a bad certificate is provided, it will be ignored and the session
proceeds normally."

I believe that hostname != CN would be considered a "bad certificate." The
bad certificate will be ignored if "allow" is set, and the session will
proceed "normally" without TLS. You could verify this (or prove me wrong)
with security tls_ssf=1 or similar.

On Fri, 9 Jun 2006, Jeremiah Martell wrote:

> I actually had the TLS_REQCERT set to allow, not never, would this
> make a difference? The error I'm getting is "TLS: hostname
> (1.example.com) does not match common name in certificate
> (2.example.com)." I thought "allow" would keep this error from
> happening.