On 17/03/2010, at 6:53 AM, Dieter Kluenter dieter@dkluenter.de wrote:
Am Tue, 16 Mar 2010 19:45:25 +1000 schrieb "Brett @Google" brett.maxfield@gmail.com:
Hello,
Is there any way of supressing the SSL warning/error "TLS: hostname (XXXXX) does not match common name in certificate" for a syncrepl client ?
This error is being returned by a syncrepl client which is negotiating SSL talking to a syncrepl server by using it's (actual / real) server name, but as the server name returns a certificate based on its (external / content switch) server name, the ssl library on the client waits for a randomly long time, and then returns the error above as the cert returned does not exactly match the hostname configured in the provider="" line, in the syncrepl client configuration.
If it's indeed a warning, then the sycrepl client should ignore it, but it does not, so effectively it is an error as it causes the syncrepl client to abort it's connection.
A hack might be to add the "external" name to /etc/hosts on each syncrepl client with the correct ip for each syncrepl server, but was hoping for something better.
You may either configure syncrepl with 'tls_reqcert=never, which would not be a wise decission, or add a subjectAltName value to the host certificate.
I tried tls_reqcert=never but i stll got the warning. It's the syncrepl client's ssl library which has an issue with the syncrepl client's server certificate.
I'm thinking maybe having either a subjectAltName or havimg a non-ssl listener just for syncrepl (with fw rules) might be the trick.
Cheers Brett