[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problems with OpenLDAP

On Fri, 31 Oct 2008, LÉVAI Dániel wrote:
> I've recreated my certificate/key pair, beacuse I can't seem get over 
> this issue. I've changed the hostname in the certificate to the ip 
> address of the server. OpenLDAP 2.4.11, Debian testing/lenny system.
> TLS: hostname ( does not match common name in certificate 
> (
> That last "TLS:" prefixed message bothers me; it tells me that 
> doesn't match with! Why?

Hmm, you mention "Debian testing/lenny".  Does that mean it uses GNUtls?  
Due to differences in APIs, OpenLDAP uses different routines to perform 
the "check hostname against certificate" test depending on whether it's 
built against OpenSSL or GNUtls.  It appears the routine used with GNUtls 
refuses to match IP addresses against a CN subjects component, thus 
explaining that weird message.

(In ldap_pvt_tls_check_hostname(), 'len1' is only non-zero if the hostname 
doesn't look like an IPv6 or IPv4 address, while the subject CN test needs 
'len1' to be the same as the length of the CN value.)

I suggest you file an ITS about that.

Philip Guenther