Re: failover config: servers with same DNS address and TLS, subjectAltName extension

Emmanuel Dreyfus wrote: It seems to me that you cannot read what is plainly in front of your face, for whatever reason. The fact that you can use environment variables to augment the OpenSSL configuration file is clearly documented at the top of the OpenSSL config(5) manual page. The use of "subjectAltName" has multiple examples in the default openssl.cnf file that is bundled with every OpenSSL release. The meaning of the word "alternative" in subjectAlternativeName is plain English, and again even the OpenLDAP Admin Guide says "Additional alias names and wildcards may be present in the subjectAltName certificate extension." The FAQ-o-Matic is pretty explicit too. http://www.openldap.org/doc/admin23/tls.html#TLS%20Certificates http://www.openldap.org/faq/index.cgi?file=185 Yet despite all the work you've put into this you've missed all of these very obvious things. Your initial assertion that the documentation for this topic is hidden or unavailable is clearly wrong. You assertion that it is in general difficult to understand doesn't seem well supported either; googling for "subjectaltname openldap" returns hundreds of hits. So it falls to just the fact that you had a hard time understanding it. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/