On Thu, Jan 12, 2012 at 05:31:31PM +0100, Michael Ströder wrote:
We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked against OpenSSL 1.0.0 libs shipped with RHEL.
Unfortunately we can't get StartTLS to work. It always fails:
# /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
But OpenSSL lists the (IMO correct) hostnames in the server's certificate:
---------------------------------- snip ---------------------------------- Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE [..] X509v3 Subject Alternative Name: email:certificate@xxx.domain, DNS:ldap.domain, DNS:ldap-srv01.rz.domain, DNS:ldap-srv02.rz.domain ---------------------------------- snip ----------------------------------
Is the hostname check confused by the email in the first subjectAltName sequence value?
Probably not. I have just set up a test case like that and it works. All software is current versions on Debian Squeeze:
@(#) $OpenLDAP: slapd 2.4.23 (Jun 15 2011 13:31:57) $ @incagijs:/home/thijs/debian/p-u/openldap-2.4.23/debian/build/servers/slapd
OpenSSL 0.9.8o 01 Jun 2010
I usually find that the problem is with the client-side setup, probably not getting the right TLS_CACERT value (i.e. in your case maybe /opt/xxxdir/bin/ldapsearch is reading /opt/xxxdir/etc/openldap/ldap.conf rather than /etc/openldap/ldap.conf
Andrew