--On June 5, 2007 6:28:11 PM -0400 "West, Jon (NIH/NIMH) [C]" wjon@mail.nih.gov wrote:
yes, I've actually have it looking at the cert but I still get a connection error when using TLS I think I understand it ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate I think this means is because I used 'test.com' as the server name when generating the cert rather then the actual server? test.com is just the test domain I am using
Hi,
Please keep replies to the list.
This error means that the host name in the certificate does not match the hostname for the server. They must match to establish a TLS connection.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
my server is 'myserver.com' but I'm hosting the ldap domain 'NOTmyserver.com' (test.com in this case) I have to use myserver.com when creating the cert, not the ldap domain correct?
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tue 6/5/2007 6:36 PM To: West, Jon (NIH/NIMH) [C] Cc: openldap-software@openldap.org Subject: RE: TLS bare minimum
--On June 5, 2007 6:28:11 PM -0400 "West, Jon (NIH/NIMH) [C]" wjon@mail.nih.gov wrote:
yes, I've actually have it looking at the cert but I still get a connection error when using TLS I think I understand it ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate I think this means is because I used 'test.com' as the server name when generating the cert rather then the actual server? test.com is just the test domain I am using
Hi,
Please keep replies to the list.
This error means that the host name in the certificate does not match the hostname for the server. They must match to establish a TLS connection.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wednesday, 6 June 2007, West, Jon (NIH/NIMH) [C] wrote:
my server is 'myserver.com' but I'm hosting the ldap domain 'NOTmyserver.com' (test.com in this case) I have to use myserver.com when creating the cert, not the ldap domain correct?
Certificates have nothing to do with a base dn (or a realm), and LDAP servers don't host domains (unless you're actually using bind sdb_ldap, or something similar), but suffixes/base DNs.
For certificate validation: -The date/time on the client must be within the validity period of the certificate -The certificate must be issued by a CA trusted by the client -The certificate must be issued with a subject CN (or subjectAlternativeName) value that matches the *name* (IP address is possible if the subjectAlternativeName lists the IP and the client software supports this) the *client application* connects to.
DNS does not matter.
All that matters is that when you use -h server.mydomain.com, the subject CN (or subjectAl on the cert offered by the server that responds must be server.mydomain.com.
You can't use -h server with subject CN of my.server.com (even if -h server resolves to -h server.mydomain.com), as the name the software is using does not match the cert.
So, explain what "serveraddress" is whenever you post a command you are using ...
BTW: You may also want to consider upgrading:
2.2.13 to: http://anorien.warwick.ac.uk/mirrors/buchan/openldap/rhel4/ 2.0.27 to: http://anorien.warwick.ac.uk/mirrors/buchan/openldap/rhel3/
(more up-to-date packages are built, I just can't upload them at present)
wjon@mail.nih.gov wrote:
yes, I've actually have it looking at the cert but I still get a connection error when using TLS I think I understand it ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate I think this means is because I used 'test.com' as the server name when generating the cert rather then the actual server? test.com is just the test domain I am using
Hi,
Please keep replies to the list.
This error means that the host name in the certificate does not match the hostname for the server. They must match to establish a TLS connection.
openldap-software@openldap.org
-
Buchan Milne -
Quanah Gibson-Mount -
West, Jon (NIH/NIMH) [C]