On Fri, 31 Oct 2008, LÉVAI Dániel wrote:
I've recreated my certificate/key pair, beacuse I can't seem get over this issue. I've changed the hostname in the certificate to the ip address of the server. OpenLDAP 2.4.11, Debian testing/lenny system.
...
TLS: hostname (192.168.1.3) does not match common name in certificate (192.168.1.3).
...
That last "TLS:" prefixed message bothers me; it tells me that 192.168.1.3 doesn't match with 192.168.1.3?! Why?
Hmm, you mention "Debian testing/lenny". Does that mean it uses GNUtls? Due to differences in APIs, OpenLDAP uses different routines to perform the "check hostname against certificate" test depending on whether it's built against OpenSSL or GNUtls. It appears the routine used with GNUtls refuses to match IP addresses against a CN subjects component, thus explaining that weird message.
(In ldap_pvt_tls_check_hostname(), 'len1' is only non-zero if the hostname doesn't look like an IPv6 or IPv4 address, while the subject CN test needs 'len1' to be the same as the length of the CN value.)
I suggest you file an ITS about that.
Philip Guenther