[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: load balancer with SSL

I'm using openldap-2.2.17. Is that too old? The openldap FTP site says
it was released in Sep 13, 2004.

- Jeremiah

On 10/18/06, Howard Chu <hyc@symas.com> wrote:
Aaron Richton wrote:
> I don't see this...

You're seeing the correct behavior; libldap was changed along these
lines back in April 2003. If someone is trying this and getting a
different behavior they must be using a very very old library.

> [put NotTheCert in /etc/hosts]
> $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/";
> '(doesnt=exist)'
> No such object (32)
> $ ed ldap.conf
> 633
> 1,$s/never/demand/p
> TLS_REQCERT     demand
> w
> 634
> q
> $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/";
> '(doesnt=exist)'
> ldap_start_tls: Connect error (-11)
>         additional info: TLS: hostname does not match CN in peer
> certificate
> Certainly appears to instigate different behavior to me.
> However, the whole point of the load balancer is to make everything look
> the same. Toward that end, why would you want server1 and server2 to
> look different--might as well lose the load balancer at that point. With
> the load balancer, either use subjectAltNames, or just get a cert for
> "loadbalancer.example.com" and use that. We do the latter; I don't
> *want* the users to see that they're connected to server1 or server2 or....

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/