Sending again, because I'm not sure if the first message got through since I had not acknowledged my membership...
Steven Seed wrote:
I have an ldap server set up with a SSL certificate such that the CN=hostname.fqdn. In the same certificate I have created a SubjectAltName with several DNS aliases. With everything configured properly in my ldap.conf file, I can make TLS connections to my ldap server as long as I use the hostname that matches the CN, but if I change my connection to use one of the aliases in the SubjectAltName I get:
ldap_start_tls: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate
Here is the end of the debug output...I can supply the full output, but it's quite large:
tls_read: want=5, got=5 0000: 16 03 01 00 30 ....0 tls_read: want=48, got=48 0000: 43 2b a5 b7 12 ef 88 f7 76 30 63 78 4c 16 99 0b C+......v0cxL... 0010: 5f 26 f8 34 db 15 1b 24 e7 e2 bd 60 c4 25 b4 e4 _&.4...$...`.%.. 0020: 0b d4 e7 27 f0 93 1b 6e 40 2a 5c ce a2 69 cd 2d ...'...n@*..i.- TLS: hostname (fatestldap.fas.fa.disney.com) does not match common name in certificate (Proton.fas.fa.disney.com). ldap_start_tls: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate
An openssl dump of the certificate yields the following in the SubjectAltName section:
Certificate: Data: CN=Proton.fas.fa.disney.com X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name:
email:dns:faldap,dns:fatestldap,dns:faldap.fas.fa.disney.com,dns:fatestldap.fas.fa.disney.com
X509v3 CRL Distribution Points: DirName:/DC=com/DC=disney/OU=PKI/CN=The Walt Disney CompanyEnterprise CA/CN=CRL27 URI:http://cdp.disney.pvt/CRL/EnterpriseCRL.crl URI:http://cdp.disney.com/CRL/EnterpriseCRL.crl
Can anyone help me figure out what is going wrong? This is the same with both version 2.2.13 and 2.3.32 of openldap. Does the SubjectAltName format look correct?
Seed, Steven wrote:
Sending again, because I'm not sure if the first message got through since I had not acknowledged my membership...
Steven Seed wrote:
I have an ldap server set up with a SSL certificate such that the CN=hostname.fqdn. In the same certificate I have created a SubjectAltName with several DNS aliases. With everything configured properly in my ldap.conf file, I can make TLS connections to my ldap server as long as I use the hostname that matches the CN, but if I change my connection to use one of the aliases in the SubjectAltName I get:
ldap_start_tls: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate
An openssl dump of the certificate yields the following in the SubjectAltName section:
Certificate: Data: CN=Proton.fas.fa.disney.com X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name:
email:dns:faldap,dns:fatestldap,dns:faldap.fas.fa.disney.com,dns:fatestldap.fas.fa.disney.com
X509v3 CRL Distribution Points: DirName:/DC=com/DC=disney/OU=PKI/CN=The Walt Disney CompanyEnterprise CA/CN=CRL27 URI:http://cdp.disney.pvt/CRL/EnterpriseCRL.crl URI:http://cdp.disney.com/CRL/EnterpriseCRL.crl
Can anyone help me figure out what is going wrong? This is the same with both version 2.2.13 and 2.3.32 of openldap. Does the SubjectAltName format look correct?
Your subjectAltName appears to have encoded an email extension with the string "dns:....." as its value, instead of an actual dns extension. So basically, your subjectAltName is wrong.
openldap-software@openldap.org
-
Howard Chu -
Seed, Steven