[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS hostname check failure and subjectAltname extension

To: Michael Ströder <michael@stroeder.com>
Subject: Re: TLS hostname check failure and subjectAltname extension
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Thu, 19 Jan 2012 16:29:10 +0000
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <4F0F0AE3.8010205@stroeder.com>
References: <4F0F0AE3.8010205@stroeder.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Jan 12, 2012 at 05:31:31PM +0100, Michael Ströder wrote:

> We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked
> against OpenSSL 1.0.0 libs shipped with RHEL.

> Unfortunately we can't get StartTLS to work. It always fails:
> 
> # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain
> ldap_start_tls: Connect error (-11)
>         additional info: TLS: hostname does not match CN in peer certificate
> # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain
> ldap_start_tls: Connect error (-11)
>         additional info: TLS: hostname does not match CN in peer certificate
> 
> But OpenSSL lists the (IMO correct) hostnames in the server's certificate:
> 
> ---------------------------------- snip ----------------------------------
>         Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE
> [..]
>             X509v3 Subject Alternative Name:
>                 email:certificate@xxx.domain,
>                 DNS:ldap.domain,
>                 DNS:ldap-srv01.rz.domain,
>                 DNS:ldap-srv02.rz.domain
> ---------------------------------- snip ----------------------------------
> 
> Is the hostname check confused by the email in the first
> subjectAltName sequence value?

Probably not. I have just set up a test case like that and it works.
All software is current versions on Debian Squeeze:

@(#) $OpenLDAP: slapd 2.4.23 (Jun 15 2011 13:31:57) $
        @incagijs:/home/thijs/debian/p-u/openldap-2.4.23/debian/build/servers/slapd

OpenSSL 0.9.8o 01 Jun 2010

I usually find that the problem is with the client-side setup,
probably not getting the right TLS_CACERT value (i.e. in your case
maybe /opt/xxxdir/bin/ldapsearch is reading
/opt/xxxdir/etc/openldap/ldap.conf rather than
/etc/openldap/ldap.conf

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

References:
- TLS hostname check failure and subjectAltname extension
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: syncprov_db_open: invalid config, lastmod must be enabled
Next by Date: Re: memberOf and glued databases
Index(es):
- Chronological
- Thread