[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subject Alternative Name in TLS - does this work?



Hi,

On Thu, 17 Oct 2013, lejeczek wrote:

dear all

I'm trying to set a seeminglysimple setup
having a box with openldap I want it to use TLS on both internal and external hostnames/IPs

openldap was set up earlier and was/is working
I generate TLS certificate with SAN
everything seems working fine
but
when I ldapsearch on external fqdn/IP (which in the certificate is the subjectAltName) search fails whereas it succeeds on internal fqdn(which is the hostname/ CN in the certificate)

error is: additional info: TLS error -8157:Certificate extension not found.

is such a scenario even possible? having very same DN being served on more than one name via TLS?


If this is what you are looking for I can confirm that I have a setup with ldaps:// and ldap:// with TLS that uses subjectAltNames in the certificates.

Relevant parts of the x509 cert with customer name obfuscated

We have this on one server:

        Subject: C=XX, ST=State, L=City, O=Company, CN=ldap1.example.org
   	X509v3 Subject Alternative Name:
		DNS:ldap1.example.org, DNS:ldap1, DNS:ldap-cluster.example.org, DNS:ldap-cluster

We have this on the other server:

        Subject: C=XX, ST=State, L=City, O=Company, CN=ldap2.example.org
   	X509v3 Subject Alternative Name:
		DNS:ldap2.example.org, DNS:ldap2, DNS:ldap-cluster.example.org, DNS:ldap-cluster


We can connect to ldap-cluster.example.org just fine independent of to which server the load balancer directs the tcp connection to.

This is using openldap-2.4.36

Greetings
Christian

--
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer