[Date Prev][Date Next] [Chronological] [Thread] [Top]

StartTLS with a host alias

To: openldap-software@openldap.org
Subject: StartTLS with a host alias
From: Robert Minsk <robertminsk@yahoo.com>
Date: Thu, 5 Jun 2008 14:26:32 -0700 (PDT)

My cert on my LDAP server contains multiple commonName entries.
> openssl x509 -noout -in s014-ldap-cert.pem -subject
subject= /C=US/ST=California/O=FooBar/CN=s014.cgi.foobar.com/CN=ldap1.cgi.foobar.com/CN=s14.cgi.foobar.com

The LDAP server FQHN is s014.cgi.foobar.com and has aliases of ldap1.cgi.foobar.com and s14.cgi.foobar.com.  All hostname resolution is done with our internal DNS servers and they all have the correct FQHN and aliases.

On my secondary mirror LDAP server I have syncrepl setup to use the hostname alias ldap1.cgi.foobar.com
syncrepl  ... provider=ldap://ldap1.cgi.foobar.com starttls=critical ...
and that works fine.

When I have my ldap.conf with:
URI ldap://s014.cgi.foobar.com
the command "ldapsearch -x -ZZ" works just fine.

When I change my ldap.conf to:
URI ldap://ldap1.cgi.foobar.com
the command "ldapsearch -x -ZZ" returns
ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match CN in peer certificate.

It seems the openldap library is only checking the first CN in the certificate and not all the others.  Is there any way to have it check the other CN entries in the cert?

Follow-Ups:
- Re: StartTLS with a host alias
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: using slapo-pcache with an empty attr list
Next by Date: Re: can syncrepl do this?
Index(es):
- Chronological
- Thread