My cert on my LDAP server contains multiple commonName entries.
openssl x509 -noout -in s014-ldap-cert.pem -subject
subject= /C=US/ST=California/O=FooBar/CN=s014.cgi.foobar.com/CN=ldap1.cgi.foobar.com/CN=s14.cgi.foobar.com
The LDAP server FQHN is s014.cgi.foobar.com and has aliases of ldap1.cgi.foobar.com and s14.cgi.foobar.com. All hostname resolution is done with our internal DNS servers and they all have the correct FQHN and aliases.
On my secondary mirror LDAP server I have syncrepl setup to use the hostname alias ldap1.cgi.foobar.com syncrepl ... provider=ldap://ldap1.cgi.foobar.com starttls=critical ... and that works fine.
When I have my ldap.conf with: URI ldap://s014.cgi.foobar.com the command "ldapsearch -x -ZZ" works just fine.
When I change my ldap.conf to: URI ldap://ldap1.cgi.foobar.com the command "ldapsearch -x -ZZ" returns ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate.
It seems the openldap library is only checking the first CN in the certificate and not all the others. Is there any way to have it check the other CN entries in the cert?
Robert Minsk writes:
My cert on my LDAP server contains multiple commonName entries.
openssl x509 -noout -in s014-ldap-cert.pem -subject
subject= /C=US/ST=California/O=FooBar/CN=s014.cgi.foobar.com/CN=ldap1.cgi.foobar.com/CN=s14.cgi.foobar.com
There is only supposed to be one CN in the certificate name. However you can put multiple hostnames in the certificate's Subject Alternative Name (aka Subject Alt Name) extension.
Hallvard B Furuseth wrote:
Robert Minsk writes:
My cert on my LDAP server contains multiple commonName entries.
openssl x509 -noout -in s014-ldap-cert.pem -subject
subject= /C=US/ST=California/O=FooBar/CN=s014.cgi.foobar.com/CN=ldap1.cgi.foobar.com/CN=s14.cgi.foobar.com
There is only supposed to be one CN in the certificate name.
Well, there can be any number of CNs in a DN. But only the most-inferior RDN actually names the certificate, therefore that's the only one that may be used in hostname checking.
Strange that he said the syncrepl config works, since the syncrepl consumer uses the same libldap functions as the ldapsearch command line to open a TLS session. Unless of course his slapd is not linked with the same version of the libraries as his command line tools.
However you can put multiple hostnames in the certificate's Subject Alternative Name (aka Subject Alt Name) extension.
Right.
Howard Chu writes:
Well, there can be any number of CNs in a DN. But only the most-inferior RDN actually names the certificate, therefore that's the only one that may be used in hostname checking.
Then something (OpenSSL?) is broken. The hostname which succeeded is in the topmost of his RDNs which has a CN, not in the most inferior RDN.
Hallvard B Furuseth wrote:
Howard Chu writes:
Well, there can be any number of CNs in a DN. But only the most-inferior RDN actually names the certificate, therefore that's the only one that may be used in hostname checking.
Then something (OpenSSL?) is broken. The hostname which succeeded is in the topmost of his RDNs which has a CN, not in the most inferior RDN.
Hm, good point. The OpenSSL function used in libldap/tls.c doesn't have an argument to specify which CN to return. That code may need to be rewritten.
openldap-software@openldap.org
-
Hallvard B Furuseth -
Howard Chu -
Robert Minsk