[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS fails

--On Wednesday, February 15, 2006 5:35 PM -0800 Howard Chu <hyc@symas.com> wrote:

Kurt D. Zeilenga wrote:
At 03:41 PM 2/15/2006, Quanah Gibson-Mount wrote:

On Wednesday 15 February 2006 15:40, Jon Roberts wrote:

ldapsearch -ZZZ -h uid=quanah uid
ldap_start_tls: Connect error (-11)
       additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Assuming the certificate doesn't list the IP address as a alternative subject name (which ldapsearch(1) should check), correct.

But in the case of the OpenLDAP libraries, it would state explicitly "hostname does not match". The above error message comes from the OpenSSL library, meaning that there is something fundamentally wrong with the certificate itself. Running with a higher debug level would be more useful (or you could look up error code 14090086 in the OpenSSL source).

There's nothing wrong with the cert, I'm guessing I forgot to tell it where to find the CA chain. ;)

tribes:~> ldapsearch -ZZZ -h uid=quanah uid
ldap_start_tls: Connect error (-11)
       additional info: TLS: hostname does not match CN in peer certificate

is the correct error after fixing that. ;)


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html