[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: load balancer with SSL

> Jeremiah,
> I did the test with TLS_REQCERT set to 'allow' and got the same result
> as you. I am not sure what they mean by 'bad certificate' in the manual
> page of 'ldap.conf'.

Generally a bad certificate means a certificate whose signature cannot
be verified by the SSL library, or a missing certificate. If a
certificate is provided and the SSL library can verify it, then it will
be used. If the hostname doesn't match, the connection will fail. I.e.,
hostname matches are never ignored once the certificate is verified. For
a load balancing situation you must use subjectAltName's with the
relevant names, that's all there is to it.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Howard Chu,

  Sorry to resurrect this thread after so many months. I have a
question as to why if I put in "TLS_REQCERT never" in my ldap.conf,
openldap does any actions with any certificates. It seems to me from
the man for ldap.conf, that never causes "The client will not request
or check any server certificate."

  In my instance (I still haven't solved this problem), I put in
"TLS_REQCERT never" in my ldap.conf, but still get this error from

TLS: hostname (loadbalancer.example.com) does not match common name in
certificate (server1.example.com).

  Your thoughts?

- Jeremiah