r0m5 wrote: > Le 2017-08-09 14:13, Michael Ströder a écrit : >> Many problems like this are caused by not getting the PKI to issue correct >> public-key certs. Especially you should put all DNS names a LDAP client might use to >> connect to your LDAP server in subjectAltName extension. >> >> E.g. ITS#8427 says: >> "Provide the servers with TLS certificates that are correct but do not include >> an address used in syncrepl provider setting." >> What the heck does that mean?!? > > I guess the guy uses in order to reproduce a provider certificate which is signed by a > CA his consumer trusts, but the consumer connects to the provider using a DNS name > different from the certificate CN and not included in subjectAltName. Yes, therefore I'd see ITS#8427 resolved as do-not-use-broken-certs. > Regarding my applications randomly failing STARTTLS to my consumers, it's not related > to the use of a DNS name different from the certificate CN and not included in > subjectAltName. Considering an application using always the same DNS name > [..] > I will dig more into it. So far it appears than only PHP applications fail this way, it > seems like there are no probrems with STARTTLS from freeradius or Apache Basic AuthType > with AuthBasicProvider ldap. Then this sounds like PHP-LDAP being broken. Ciao, Michael.
Description: S/MIME Cryptographic Signature