[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: load balancer with SSL

Aaron Richton wrote:
I don't see this...

You're seeing the correct behavior; libldap was changed along these lines back in April 2003. If someone is trying this and getting a different behavior they must be using a very very old library.

[put NotTheCert in /etc/hosts]

$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/"; '(doesnt=exist)'
No such object (32)
$ ed ldap.conf
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/"; '(doesnt=exist)'
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate

Certainly appears to instigate different behavior to me.

However, the whole point of the load balancer is to make everything look the same. Toward that end, why would you want server1 and server2 to look different--might as well lose the load balancer at that point. With the load balancer, either use subjectAltNames, or just get a cert for "loadbalancer.example.com" and use that. We do the latter; I don't *want* the users to see that they're connected to server1 or server2 or....

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/