[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS bare minimum

To: openldap-software@openldap.org
Subject: Re: TLS bare minimum
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 6 Jun 2007 17:42:41 +0200
Cc: "West, Jon \(NIH/NIMH\) \[C\]" <wjon@mail.nih.gov>
In-reply-to: <FC6B3E97A88F754180D924680FE66004030C64@nihcesmlbx2.nih.gov>
Organization: Telkom Internet
References: <FC6B3E97A88F754180D924680FE66004069ED6@nihcesmlbx2.nih.gov> <323DB524E2685E534EE53565@deus-ex.zimbra.com> <FC6B3E97A88F754180D924680FE66004030C64@nihcesmlbx2.nih.gov>
User-agent: KMail/1.9.6

On Wednesday, 6 June 2007, West, Jon (NIH/NIMH) [C] wrote:
> my server is 'myserver.com' but I'm hosting the ldap domain
> 'NOTmyserver.com' (test.com in this case) I have to use myserver.com when
> creating the cert, not the ldap domain correct?

Certificates have nothing to do with a base dn (or a realm), and LDAP servers 
don't host domains (unless you're actually using bind sdb_ldap, or something 
similar), but suffixes/base DNs.

For certificate validation:
-The date/time on the client must be within the validity period of the 
certificate
-The certificate must be issued by a CA trusted by the client
-The certificate must be issued with a subject CN (or subjectAlternativeName) 
value that matches the *name* (IP address is possible if the 
subjectAlternativeName lists the IP and the client software supports this) 
the *client application* connects to.

DNS does not matter.

All that matters is that when you use -h server.mydomain.com, the subject CN 
(or subjectAl on the cert offered by the server that responds must be 
server.mydomain.com.

You can't use -h server with subject CN of my.server.com (even if -h server 
resolves to -h server.mydomain.com), as the name the software is using does 
not match the cert.

So, explain what "serveraddress" is whenever you post a command you are 
using ...

BTW: You may also want to consider upgrading:

2.2.13 to: http://anorien.warwick.ac.uk/mirrors/buchan/openldap/rhel4/
2.0.27 to: http://anorien.warwick.ac.uk/mirrors/buchan/openldap/rhel3/

(more up-to-date packages are built, I just can't upload them at present)

> <wjon@mail.nih.gov> wrote:
> > yes, I've actually have it looking at the cert but I still get a
> > connection error when using TLS I think I understand it
> > ldap_start_tls: Connect error (-11)
> >         additional info: TLS: hostname does not match CN in peer
> > certificate I think this means is because I used 'test.com' as the server
> > name when generating the cert rather then the actual server? test.com is
> > just the test domain I am using
>
> Hi,
>
> Please keep replies to the list.
>
> This error means that the host name in the certificate does not match the
> hostname for the server.  They must match to establish a TLS connection.


-- 
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpKQlIxCfV19.pgp
Description: PGP signature

References:
- TLS bare minimum
  - From: "West, Jon (NIH/NIMH) [C]" <wjon@mail.nih.gov>
- RE: TLS bare minimum
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: TLS bare minimum
  - From: "West, Jon (NIH/NIMH) [C]" <wjon@mail.nih.gov>

Prev by Date: translucent overlay and bind
Next by Date: Re: monitoring openldap
Index(es):
- Chronological
- Thread