Howard Chu wrote:
Dieter Kluenter wrote:
I just wonder whether this is a bug in openSSL or in openLDAP, anyhow the subjectAltName attribute values are nor honoured. openssl-0.9.8k-3.5.3.x86_64 openldap-2.4.21
ldapwhoami -Y EXTERNAL -ZZ -H ldap://localhost ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
openssl x509 -in cert.pem -noout -text Subject: C=DE, L=Hamburg, O=AVCI, OU=Certificate Authority, CN=rubin.avci.de/emailAddress=hdk@dkluenter.de ... X509v3 Subject Alternative Name: DNS:localhost, DNS:ldap.xxxx.de, DNS:dkluenter.xxxx.org
Not to mention that this is OK with other versions of openldap and openssl.
Show the output with debugging enabled. Note that "localhost" is treated specially, and will be replaced by the local hostname instead of being used directly in the name comparison.
Why that? I strongly dislike automagic things when doing security checks.
Ciao, Michael.