r0m5 wrote:
Le 2017-08-09 14:13, Michael Ströder a écrit :
Many problems like this are caused by not getting the PKI to issue correct public-key certs. Especially you should put all DNS names a LDAP client might use to connect to your LDAP server in subjectAltName extension.
E.g. ITS#8427 says: "Provide the servers with TLS certificates that are correct but do not include an address used in syncrepl provider setting." What the heck does that mean?!?
I guess the guy uses in order to reproduce a provider certificate which is signed by a CA his consumer trusts, but the consumer connects to the provider using a DNS name different from the certificate CN and not included in subjectAltName.
Yes, therefore I'd see ITS#8427 resolved as do-not-use-broken-certs.
Regarding my applications randomly failing STARTTLS to my consumers, it's not related to the use of a DNS name different from the certificate CN and not included in subjectAltName. Considering an application using always the same DNS name [..] I will dig more into it. So far it appears than only PHP applications fail this way, it seems like there are no probrems with STARTTLS from freeradius or Apache Basic AuthType with AuthBasicProvider ldap.
Then this sounds like PHP-LDAP being broken.
Ciao, Michael.