Hi there!
I have a problem with an LDAP server that I need to connect to. I have the required certificate stored on the client but I am getting the following error message:
"TLS: hostname (A.xyz123.com) does not match common name in certificate (*.xyz123.com)"
Is there any way to work around this problem? As far as I understand it, RFC4514 section 3.1.3 allows wildcards thus the connection should work, shouldn't it?
What is confusing me is that
"openssl s_client -connect A.xyz123.com:636 -CAfile /etc/ssl/certs/rootca.cer"
results in:
Verify return code: 0 (ok)
If I am not mistaken, openssl accepts the server based on the certificate but openldap does not.
Any help is much appreciated. I am really stuck with this. Thanks.
Regards, Sascha
Sascha wrote:
I have a problem with an LDAP server that I need to connect to. I have the required certificate stored on the client but I am getting the following error message:
"TLS: hostname (A.xyz123.com) does not match common name in certificate (*.xyz123.com)"
Personally I'm scared of accepting wildcard certs for security reasons.
As far as I understand it, RFC4514 section 3.1.3 allows wildcards thus the connection should work, shouldn't it?
It's RFC 4513, section 3.1.3. And there it says:
The server's identity may also be verified by comparing the reference identity to the Common Name (CN) [RFC4519] value in the leaf Relative Distinguished Name (RDN) of the subjectName field of the server's certificate. This comparison is performed using the rules for comparison of DNS names in Section 3.1.3.1, below, with the exception that no wildcard matching is allowed.
So wildcard DNS names in CN is explicitly not allowed. You can try with wildcard patterns in the subjectAltName cert extension.
What is confusing me is that
"openssl s_client -connect A.xyz123.com:636 -CAfile /etc/ssl/certs/rootca.cer"
results in:
Verify return code: 0 (ok)
If I am not mistaken, openssl accepts the server based on the certificate but openldap does not.
It's up to a particular SSL/TLS client implementation on what it accepts.
Ciao, Michael.
--On Saturday, March 14, 2009 12:21 PM +0100 Michael Ströder michael@stroeder.com wrote:
Sascha wrote:
I have a problem with an LDAP server that I need to connect to. I have the required certificate stored on the client but I am getting the following error message:
"TLS: hostname (A.xyz123.com) does not match common name in certificate (*.xyz123.com)"
Personally I'm scared of accepting wildcard certs for security reasons.
As far as I understand it, RFC4514 section 3.1.3 allows wildcards thus the connection should work, shouldn't it?
It's RFC 4513, section 3.1.3. And there it says:
The server's identity may also be verified by comparing the reference identity to the Common Name (CN) [RFC4519] value in the leaf Relative Distinguished Name (RDN) of the subjectName field of the server's certificate. This comparison is performed using the rules for comparison of DNS names in Section 3.1.3.1, below, with the exception that no wildcard matching is allowed.
So wildcard DNS names in CN is explicitly not allowed. You can try with wildcard patterns in the subjectAltName cert extension.
Except that most cert vendors put the wildcard in CN and not subjectAltName. I note everything I ever tested with a wildcart cert accepted this *except* OpenLDAP. So I submitted an ITS somewhere back in OpenLDAP 2.2 land to allow this, and it has been in place ever since, and works to this day AFAIK.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Thanks, Michael and Quanah.
It is an old-ish version of OpenLDAP (2.0.x I think) that we are using. I guess that explains why it's failing.
Any advise how I can work around it except for updating to a new version of OpenLDAP? I experimented with tls_reqcert and tls_checkpeer (or similar) but without success.
Thanks, Sascha
Am 14.03.2009 um 20:45 schrieb Quanah Gibson-Mount:
--On Saturday, March 14, 2009 12:21 PM +0100 Michael Ströder <michael@stroeder.com
wrote:
Sascha wrote:
I have a problem with an LDAP server that I need to connect to. I have the required certificate stored on the client but I am getting the following error message:
"TLS: hostname (A.xyz123.com) does not match common name in certificate (*.xyz123.com)"
Personally I'm scared of accepting wildcard certs for security reasons.
As far as I understand it, RFC4514 section 3.1.3 allows wildcards thus the connection should work, shouldn't it?
It's RFC 4513, section 3.1.3. And there it says:
The server's identity may also be verified by comparing the reference identity to the Common Name (CN) [RFC4519] value in the leaf Relative Distinguished Name (RDN) of the subjectName field of the server's certificate. This comparison is performed using the rules for comparison of DNS names in Section 3.1.3.1, below, with the exception that no wildcard matching is allowed.
So wildcard DNS names in CN is explicitly not allowed. You can try with wildcard patterns in the subjectAltName cert extension.
Except that most cert vendors put the wildcard in CN and not subjectAltName. I note everything I ever tested with a wildcart cert accepted this *except* OpenLDAP. So I submitted an ITS somewhere back in OpenLDAP 2.2 land to allow this, and it has been in place ever since, and works to this day AFAIK.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Sascha wrote:
It is an old-ish version of OpenLDAP (2.0.x I think) that we are using.
You really should update this setup for various reasons. Most notably because auf possible data loss in this version. Note that this might require sanitizing the current data since recent OpenLDAP versions are more strict regarding schema checking than 2.0. And in 2.4 you can't turn off schema checking anymore.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Quanah Gibson-Mount -
Sascha