Re: Subject Alternative Name in TLS

Re: Subject Alternative Name in TLS - does this work?

To: lejeczek <peljasz@yahoo.co.uk>

Subject: Re: Subject Alternative Name in TLS - does this work?

From: Erwann Abalea <eabalea@gmail.com>

Date: Thu, 17 Oct 2013 18:37:01 +0200

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TtPuxNt+9XciSY/dg2lYdfvpVus/x2I4HD/QjXO68TM=; b=TzQ6KOBT6KAa+dIJ/sWNqv7ZHs3As6LUaQ/PaFMiArABLEpkifC7xZiVFnHXATrS3q 4AW4nMtcqMMIJ4qVmkMZuYnI8PM+brnihGZU6eldvhYnG9j6RAi6j0v+L9mDJ7SLJvte Ndsyq7gR8hRdIDGI8lx+PZT0s08ZOb9KgBmQpsSpwyyowzFCDNFnX372ENiDXpOGICTH fBBEuUVczCkjjp2Tr0VUO07KvtBidqNNMLTryfAG2Sn/mVBXodocoiTDb93qNZAQSp2I /C9AF3bbqslLE81eReqtulYXjfPZhiKVtqH0hJHTD0dUy+jQAPYoiEEvvaTJ0PnH7Oei C9hw==

In-reply-to: <52600718.4000807@yahoo.co.uk>

References: <52600718.4000807@yahoo.co.uk>

It should work, but depends on the checks performed by the TLS+crypto toolkit.

Using the CN to hold the hostname/IP is deprecated, and this field is now ignored by some libraries if the SAN extension is present.

2013/10/17 lejeczek <peljasz@yahoo.co.uk>

dear all

I'm trying to set a seeminglysimple setup
having a box with openldap I want it to use TLS on both internal and external hostnames/IPs

openldap was set up earlier and was/is working
I generate TLS certificate with SAN
everything seems working fine
but
when I ldapsearch on external fqdn/IP (which in the certificate is the subjectAltName) search fails
whereas it succeeds on internal fqdn(which is the hostname/ CN in the certificate)

error is: additional info: TLS error -8157:Certificate extension not found.

is such a scenario even possible? having very same DN being served on more than one name via TLS?

best wishes

--
Erwann.