Sending again, because I'm not sure if the first message got through since I had not acknowledged my membership...
Steven Seed wrote:
I have an ldap server set up with a SSL certificate such that the CN=hostname.fqdn. In the same certificate I have created a SubjectAltName with several DNS aliases. With everything configured properly in my ldap.conf file, I can make TLS connections to my ldap server as long as I use the hostname that matches the CN, but if I change my connection to use one of the aliases in the SubjectAltName I get:
ldap_start_tls: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate
Here is the end of the debug output...I can supply the full output, but it's quite large:
tls_read: want=5, got=5 0000: 16 03 01 00 30 ....0 tls_read: want=48, got=48 0000: 43 2b a5 b7 12 ef 88 f7 76 30 63 78 4c 16 99 0b C+......v0cxL... 0010: 5f 26 f8 34 db 15 1b 24 e7 e2 bd 60 c4 25 b4 e4 _&.4...$...`.%.. 0020: 0b d4 e7 27 f0 93 1b 6e 40 2a 5c ce a2 69 cd 2d ...'...n@*..i.- TLS: hostname (fatestldap.fas.fa.disney.com) does not match common name in certificate (Proton.fas.fa.disney.com). ldap_start_tls: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate
An openssl dump of the certificate yields the following in the SubjectAltName section:
Certificate: Data: CN=Proton.fas.fa.disney.com X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name:
email:dns:faldap,dns:fatestldap,dns:faldap.fas.fa.disney.com,dns:fatestldap.fas.fa.disney.com
X509v3 CRL Distribution Points: DirName:/DC=com/DC=disney/OU=PKI/CN=The Walt Disney CompanyEnterprise CA/CN=CRL27 URI:http://cdp.disney.pvt/CRL/EnterpriseCRL.crl URI:http://cdp.disney.com/CRL/EnterpriseCRL.crl
Can anyone help me figure out what is going wrong? This is the same with both version 2.2.13 and 2.3.32 of openldap. Does the SubjectAltName format look correct?