Howard Chu hyc@symas.com writes:
Dieter Kluenter wrote:
Hi, I just wonder whether this is a bug in openSSL or in openLDAP, anyhow the subjectAltName attribute values are nor honoured. openssl-0.9.8k-3.5.3.x86_64 openldap-2.4.21
ldapwhoami -Y EXTERNAL -ZZ -H ldap://localhost ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
openssl x509 -in cert.pem -noout -text Subject: C=DE, L=Hamburg, O=AVCI, OU=Certificate Authority, CN=rubin.avci.de/emailAddress=hdk@dkluenter.de ... X509v3 Subject Alternative Name: DNS:localhost, DNS:ldap.xxxx.de, DNS:dkluenter.xxxx.org
Not to mention that this is OK with other versions of openldap and openssl.
[...]
Show the output with debugging enabled. Note that "localhost" is treated specially, and will be replaced by the local hostname instead of being used directly in the name comparison.
Found the culprit. As usual it is my beloved Yast :-) This is a new setup of openSUSE-11.2, /etc/hosts has following entries:
127.0.0.1 localhost ::1 localhost ipv6-localhost ipv6-loopback [ more ipv6 entries ] 127.0.0.2 rubin rubin 192.168.100.16 rubin.avci.de rubin [ more entries ]
removing the 127.0.0.2 entry solved ist.
-Dieter