[Date Prev][Date Next]
Re: TLS problems with OpenLDAP
On Fri, 31 Oct 2008, LÉVAI Dániel wrote:
> I've recreated my certificate/key pair, beacuse I can't seem get over
> this issue. I've changed the hostname in the certificate to the ip
> address of the server. OpenLDAP 2.4.11, Debian testing/lenny system.
> TLS: hostname (192.168.1.3) does not match common name in certificate
> That last "TLS:" prefixed message bothers me; it tells me that
> 192.168.1.3 doesn't match with 192.168.1.3?! Why?
Hmm, you mention "Debian testing/lenny". Does that mean it uses GNUtls?
Due to differences in APIs, OpenLDAP uses different routines to perform
the "check hostname against certificate" test depending on whether it's
built against OpenSSL or GNUtls. It appears the routine used with GNUtls
refuses to match IP addresses against a CN subjects component, thus
explaining that weird message.
(In ldap_pvt_tls_check_hostname(), 'len1' is only non-zero if the hostname
doesn't look like an IPv6 or IPv4 address, while the subject CN test needs
'len1' to be the same as the length of the CN value.)
I suggest you file an ITS about that.