RE: Subject Alternative Name in TLS - does this work?

[Chris Jacobs <Chris.Jacobs@apollogrp.edu>]

We're using the openldap packages from RHEL6/CentOS6.4:

# rpm -qa | grep openldap
openldap-servers-2.4.23-32.el6_4.1.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
openldap-2.4.23-32.el6_4.1.x86_64

Thing are working well for us with certs that use the VIP for Subject, and a SAN list that includes the node names:
# openssl x509 -in /etc/openldap/cacerts/servercrt.pem -text -noout | grep ldap
        Subject: C=US, ST=WA, L=Seattle, O=[snipped], OU=[snipped], CN=ldap-vip. [snipped]/emailAddress=[snipped]
                DNS:ldapmaster1. [snipped], DNS:ldapmaster2. [snipped]

The cert's and reqs were done via OpenSSL.

For whatever this is worth...

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Quanah Gibson-Mount
Sent: Friday, October 18, 2013 9:08 AM
To: lejeczek; openldap-technical@openldap.org
Subject: Re: Subject Alternative Name in TLS - does this work?

--On Friday, October 18, 2013 8:52 AM +0100 lejeczek <peljasz@yahoo.co.uk>
wrote:

> slapd is redhat's openldap-servers-2.4.23-26.el6_3.2.x86_64, I hoped
> since slapd does not say a bad word about TLS cert with SAN it's tool
> would be fine too

Get a current release that is linked to OpenSSL, not the MozNSS garbage RH links to.

You may want to try <http://ltb-project.org/wiki/download#openldap>

--Quanah



--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.