Jeremiah,
I did the test with TLS_REQCERT set to 'allow' and got the same result as you. I am not sure what they mean by 'bad certificate' in the manual page of 'ldap.conf'.
Generally a bad certificate means a certificate whose signature cannot be verified by the SSL library, or a missing certificate. If a certificate is provided and the SSL library can verify it, then it will be used. If the hostname doesn't match, the connection will fail. I.e., hostname matches are never ignored once the certificate is verified. For a load balancing situation you must use subjectAltName's with the relevant names, that's all there is to it.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Howard Chu,
Sorry to resurrect this thread after so many months. I have a question as to why if I put in "TLS_REQCERT never" in my ldap.conf, openldap does any actions with any certificates. It seems to me from the man for ldap.conf, that never causes "The client will not request or check any server certificate."
In my instance (I still haven't solved this problem), I put in "TLS_REQCERT never" in my ldap.conf, but still get this error from openldap:
TLS: hostname (loadbalancer.example.com) does not match common name in certificate (server1.example.com).
Your thoughts?
Thanks, - Jeremiah
"Jeremiah Martell" inlovewithgod@gmail.com writes:
Jeremiah,
[...]
TLS: hostname (loadbalancer.example.com) does not match common name in certificate (server1.example.com).
The host certificate is issued for CN:server1.example.com, but the host you are connecting to is loadbalancer.example.com. You have to create a subject alternative name in the hosts certificate. That is, you have to configure a subjectAltName in openssl.cnf, something like ... [ usr_cert ] ... subjectAltName=DNS:localhost, DNS:loadbalancer.example.com
-Dieter
I don't see this...
[put NotTheCert in /etc/hosts]
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/" '(doesnt=exist)' No such object (32) $ ed ldap.conf 633 1,$s/never/demand/p TLS_REQCERT demand w 634 q $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/" '(doesnt=exist)' ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Certainly appears to instigate different behavior to me.
However, the whole point of the load balancer is to make everything look the same. Toward that end, why would you want server1 and server2 to look different--might as well lose the load balancer at that point. With the load balancer, either use subjectAltNames, or just get a cert for "loadbalancer.example.com" and use that. We do the latter; I don't *want* the users to see that they're connected to server1 or server2 or....
Aaron Richton wrote:
I don't see this...
You're seeing the correct behavior; libldap was changed along these lines back in April 2003. If someone is trying this and getting a different behavior they must be using a very very old library.
[put NotTheCert in /etc/hosts]
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/" '(doesnt=exist)' No such object (32) $ ed ldap.conf 633 1,$s/never/demand/p TLS_REQCERT demand w 634 q $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/" '(doesnt=exist)' ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Certainly appears to instigate different behavior to me.
However, the whole point of the load balancer is to make everything look the same. Toward that end, why would you want server1 and server2 to look different--might as well lose the load balancer at that point. With the load balancer, either use subjectAltNames, or just get a cert for "loadbalancer.example.com" and use that. We do the latter; I don't *want* the users to see that they're connected to server1 or server2 or....
I'm using openldap-2.2.17. Is that too old? The openldap FTP site says it was released in Sep 13, 2004.
Thanks, - Jeremiah
On 10/18/06, Howard Chu hyc@symas.com wrote:
Aaron Richton wrote:
I don't see this...
You're seeing the correct behavior; libldap was changed along these lines back in April 2003. If someone is trying this and getting a different behavior they must be using a very very old library.
[put NotTheCert in /etc/hosts]
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/" '(doesnt=exist)' No such object (32) $ ed ldap.conf 633 1,$s/never/demand/p TLS_REQCERT demand w 634 q $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/" '(doesnt=exist)' ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Certainly appears to instigate different behavior to me.
However, the whole point of the load balancer is to make everything look the same. Toward that end, why would you want server1 and server2 to look different--might as well lose the load balancer at that point. With the load balancer, either use subjectAltNames, or just get a cert for "loadbalancer.example.com" and use that. We do the latter; I don't *want* the users to see that they're connected to server1 or server2 or....
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
openldap-software@openldap.org
-
Aaron Richton -
Dieter Kluenter -
Howard Chu -
Jeremiah Martell