Le 2017-08-09 14:13, Michael Ströder a écrit :
I guess the guy uses in order to reproduce a provider certificate which is signed by a CA his consumer trusts, but the consumer connects to the provider using a DNS name different from the certificate CN and not included in subjectAltName.
The certificate I used when I had the problem was self signed but my consumer was connecting to a correct DNS name (the CN of the certificate).
In both cases the certificate is not "valid", but apparently for different reasons.
Regarding my applications randomly failing STARTTLS to my consumers, it's not related to the use of a DNS name different from the certificate CN and not included in subjectAltName. Considering an application using always the same DNS name to connect to the consumer and connecting to the same consumer which presents always the same certificate (self-signed) : most of the time this application succeeds STARTTLS, but sometimes fails. Log on the consumer :
conn=3232 fd=20 ACCEPT from IP=192.168.74.222:50187 (IP=0.0.0.0:389)
I will dig more into it. So far it appears than only PHP applications fail this way, it seems like there are no probrems with STARTTLS from freeradius or Apache Basic AuthType with AuthBasicProvider ldap.