[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: certificate warnings

To: openldap-software@openldap.org
Subject: Re: certificate warnings
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Tue, 16 Mar 2010 21:53:57 +0100
In-reply-to: <e021c7c01003160245i4508deb3heb5e29721c417133@mail.gmail.com>
Organization: AVCI
References: <e021c7c01003160245i4508deb3heb5e29721c417133@mail.gmail.com>

Am Tue, 16 Mar 2010 19:45:25 +1000
schrieb "Brett @Google" <brett.maxfield@gmail.com>:

> Hello,
> 
> Is there any way of supressing the SSL warning/error "TLS: hostname
> (XXXXX) does not match common name in certificate" for a syncrepl
> client ?
> 
> This error is being returned by a syncrepl client which is
> negotiating SSL talking to a syncrepl server by using it's (actual /
> real) server name, but as the server name returns a certificate based
> on its (external / content switch) server name, the ssl library on
> the client waits for a randomly long time, and then returns the error
> above as the cert returned does not exactly match the hostname
> configured in the provider="" line, in the syncrepl client
> configuration.
> 
> If it's indeed a warning, then the sycrepl client should ignore it,
> but it does not, so effectively it is an error as it causes the
> syncrepl client to abort it's connection.
> 
> A hack might be to add the "external" name to /etc/hosts on each
> syncrepl client with the correct ip for each syncrepl server, but was
> hoping for something better.

You may either configure syncrepl with 'tls_reqcert=never, which would
not be a wise decission, or add a subjectAltName value to the host
certificate.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: certificate warnings
  - From: Brett Maxfield <brett.maxfield@gmail.com>

References:
- certificate warnings
  - From: "Brett @Google" <brett.maxfield@gmail.com>

Prev by Date: Re: certificate warnings
Next by Date: Re: max open files
Index(es):
- Chronological
- Thread