[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS: hostname does not match CN in peer certificate

On Monday 24 October 2005 17:53, John Manning wrote:
> I need to have some web applications use a TLS/SSL connection to an LDAP
> server for authentication. I have previously done this successfully (to the
> same server) for a Java web application and now need to do it for a PHP
> application (which uses the installed OpenLDAP client to contact the remote
> LDAP server). I'm contacting the remote LDAP server by IP number and I'm
> getting:
> TLS: hostname does not match CN in peer certificate
> This seems consistent with section 3.6 of the the TLS extension to LDAP
> (http://www.rfc-editor.org/rfc/rfc2830.txt):
> "The client MUST use the server hostname it used to open the LDAP
> connection as the value to compare against the server name as expressed in
> the server's certificate.  The client MUST NOT use the server's canonical
> DNS name or any other derived form of name."

Note that this is the subject on the server certificate.

> The remote LDAP server is a Novell server, which is its own CA, and the
> certificate I was given has the following:
> $ openssl x509 -in TrustedRootCert.pem -noout -subject
> subject= /O=dev/OU=Organizational CA

This is the subject of the CA cert, *not* the server certificate.

> I'm assuming that I'm supposed to use a form of contacting the server that
> matches this subject information,

No, the subject on the server's cert. You should be able to get it (the value 
following CN= in the subject line) with OpenSSL's s_client command:
$ openssl s_client -connect ldaphost:636

> but I can't see how I can do so. (There 
> isn't even a CN part.) I tried putting the identifier 'dev' in /etc/hosts
> and use this instead of the IP number but that didn't work. It's not
> possible in the short term to get an alternative certificate due to
> staffing issues. Is there any way to get the OpenLDAP client to work with
> this certificate? The same certificate (or at least one generated from the
> same DER original, with the same subject) was used in a Java web
> application to securely authenticate against the same LDAP server. It's
> possible that the answer to this is just that OpenLDAP is more fussy about
> matching the supplied host to the subject of the certificate, but I'm
> hoping there's some way around it.

You could disable certificate checking in the OpenLDAP ldap.conf (which should 
apply to php-ldap too).


Buchan Milne
ISP Systems Specialist

Attachment: pgpNsUo8d5Jes.pgp
Description: PGP signature