HI!
We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked against OpenSSL 1.0.0 libs shipped with RHEL.
(some names are consistently obfuscated herein to keep real names confidential)
Unfortunately we can't get StartTLS to work. It always fails:
# /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
But OpenSSL lists the (IMO correct) hostnames in the server's certificate:
---------------------------------- snip ---------------------------------- Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE [..] X509v3 Subject Alternative Name: email:certificate@xxx.domain, DNS:ldap.domain, DNS:ldap-srv01.rz.domain, DNS:ldap-srv02.rz.domain ---------------------------------- snip ----------------------------------
Is the hostname check confused by the email in the first subjectAltName sequence value?
Ciao, Michael.
Michael Ströder wrote:
We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked against OpenSSL 1.0.0 libs shipped with RHEL.
(some names are consistently obfuscated herein to keep real names confidential)
Unfortunately we can't get StartTLS to work. It always fails:
# /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
But OpenSSL lists the (IMO correct) hostnames in the server's certificate:
---------------------------------- snip ---------------------------------- Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE [..] X509v3 Subject Alternative Name: email:certificate@xxx.domain, DNS:ldap.domain, DNS:ldap-srv01.rz.domain, DNS:ldap-srv02.rz.domain ---------------------------------- snip ----------------------------------
Is the hostname check confused by the email in the first subjectAltName sequence value?
I tried to understand the code in function tlso_session_chkhost() in libraries/libldap/tls_o.c (RE24) but got totally confused by the use of vars ntype and gn->type.
Ciao, Michael.
On Thu, Jan 12, 2012 at 05:31:31PM +0100, Michael Ströder wrote:
We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked against OpenSSL 1.0.0 libs shipped with RHEL.
Unfortunately we can't get StartTLS to work. It always fails:
# /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
But OpenSSL lists the (IMO correct) hostnames in the server's certificate:
---------------------------------- snip ---------------------------------- Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE [..] X509v3 Subject Alternative Name: email:certificate@xxx.domain, DNS:ldap.domain, DNS:ldap-srv01.rz.domain, DNS:ldap-srv02.rz.domain ---------------------------------- snip ----------------------------------
Is the hostname check confused by the email in the first subjectAltName sequence value?
Probably not. I have just set up a test case like that and it works. All software is current versions on Debian Squeeze:
@(#) $OpenLDAP: slapd 2.4.23 (Jun 15 2011 13:31:57) $ @incagijs:/home/thijs/debian/p-u/openldap-2.4.23/debian/build/servers/slapd
OpenSSL 0.9.8o 01 Jun 2010
I usually find that the problem is with the client-side setup, probably not getting the right TLS_CACERT value (i.e. in your case maybe /opt/xxxdir/bin/ldapsearch is reading /opt/xxxdir/etc/openldap/ldap.conf rather than /etc/openldap/ldap.conf
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Michael Ströder