[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS bare minimum

On Wednesday, 6 June 2007, West, Jon (NIH/NIMH) [C] wrote:
> my server is 'myserver.com' but I'm hosting the ldap domain
> 'NOTmyserver.com' (test.com in this case) I have to use myserver.com when
> creating the cert, not the ldap domain correct?

Certificates have nothing to do with a base dn (or a realm), and LDAP servers 
don't host domains (unless you're actually using bind sdb_ldap, or something 
similar), but suffixes/base DNs.

For certificate validation:
-The date/time on the client must be within the validity period of the 
-The certificate must be issued by a CA trusted by the client
-The certificate must be issued with a subject CN (or subjectAlternativeName) 
value that matches the *name* (IP address is possible if the 
subjectAlternativeName lists the IP and the client software supports this) 
the *client application* connects to.

DNS does not matter.

All that matters is that when you use -h server.mydomain.com, the subject CN 
(or subjectAl on the cert offered by the server that responds must be 

You can't use -h server with subject CN of my.server.com (even if -h server 
resolves to -h server.mydomain.com), as the name the software is using does 
not match the cert.

So, explain what "serveraddress" is whenever you post a command you are 
using ...

BTW: You may also want to consider upgrading:

2.2.13 to: http://anorien.warwick.ac.uk/mirrors/buchan/openldap/rhel4/
2.0.27 to: http://anorien.warwick.ac.uk/mirrors/buchan/openldap/rhel3/

(more up-to-date packages are built, I just can't upload them at present)

> <wjon@mail.nih.gov> wrote:
> > yes, I've actually have it looking at the cert but I still get a
> > connection error when using TLS I think I understand it
> > ldap_start_tls: Connect error (-11)
> >         additional info: TLS: hostname does not match CN in peer
> > certificate I think this means is because I used 'test.com' as the server
> > name when generating the cert rather then the actual server? test.com is
> > just the test domain I am using
> Hi,
> Please keep replies to the list.
> This error means that the host name in the certificate does not match the
> hostname for the server.  They must match to establish a TLS connection.

Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader

Attachment: pgpKQlIxCfV19.pgp
Description: PGP signature