[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS: hostname does not match CN in peer certificate

On Monday 24 October 2005 22:49, John Manning wrote:
> On Monday 24 October 2005 19:49, Buchan Milne wrote:
> >No, the subject on the server's cert. You should be able to get it (the
> >value
> >following CN= in the subject line) with OpenSSL's s_client command:
> >$ openssl s_client -connect ldaphost:636
> Firstly, thanks so much for your help. I've made progress as a result
> (having been stuck for ages). I did as you suggested above. I got the
> following in the first few lines:
> $ openssl s_client -connect ldaphost:636
> CONNECTED(00000003)
> depth=1 /O=dev/OU=Organizational CA
> verify error:num=19:self signed certificate in certificate chain
> verify return:0

This is still the CA cert. Look further down the outout for the server cert.

Unfortunately I can't currently show you an example with working CA certs.

> Not sure if the "verify error" in there is terribly ominous or not.

You'd want to use the -CApath option to openssl s_client to check the validity 
of the cert (I omitted that the first time :-().

> Later 
> on, there was indeed a subject line, as you predicted, with a CN value that
> was FQDN-like (say foo.bar.tld). I popped this in /etc/hosts and tried an
> ldapsearch:
> $ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636 -ZZ
> ldap_initialize( ldaps://foo.bar.tld:636 )
> ldap_start_tls: Operations error (1)
>         additional info: TLS is is already established
> At first, I thought this might be due to some redundancy between the
> "ldaps" scheme, the 636 port number and the -ZZ option to start TLS.

It is.

> However, if I change the scheme to just "ldap" or change the port, I can't
> connect at all. If I get rid of the -ZZ, it doesn't know which external
> SASL mechanism to use. Stuck again.

Use -x to disable SASL.

> >You could disable certificate checking in the OpenLDAP ldap.conf (which
> >should
> >apply to php-ldap too).
> If this is the:
> TLS_REQCERT <level>
> option, I've tried playing around with that to no avail. It was at "allow"
> by default. I changed it to "never" but it didn't affect the above
> ldapsearch.

At this point you probably want to point OpenLDAP's ldap.conf at the CA cert:

TLS_CACERT /path/to/TrustedRootCert.pem


Buchan Milne
ISP Systems Specialist

Attachment: pgpl4iEYKSC7k.pgp
Description: PGP signature