[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS fails

Kurt D. Zeilenga wrote:
At 03:41 PM 2/15/2006, Quanah Gibson-Mount wrote:
On Wednesday 15 February 2006 15:40, Jon Roberts wrote:
ldapsearch -ZZZ -h uid=quanah uid
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Assuming the certificate doesn't list the
IP address as a alternative subject
name (which ldapsearch(1) should check), correct.

But in the case of the OpenLDAP libraries, it would state explicitly "hostname does not match". The above error message comes from the OpenSSL library, meaning that there is something fundamentally wrong with the certificate itself. Running with a higher debug level would be more useful (or you could look up error code 14090086 in the OpenSSL source).

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/