[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP does not support * certs (ITS#2826)



> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of quanah@stanford.edu

> Full_Name: Quanah Gibson-Mount
> Version: 2.1.23
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.19.82)

> Hello,
>
> We just got a *.stanford.edu cert to take care of various TLS
> problems we've run
> into with OpenLDAP and software load balancing.  However, the
> TLS libraries
> return:
>
> ldapsearch -ZZZ -h ldap-test1.stanford.edu  uid=quanah
>
> TLS: hostname (ldap-test1.stanford.edu) does not match common name in
> certificate (*.stanford.edu)
>
> TLS: hostname does not match CN in peer certificate
>
> Here is our * cert:
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             c0:25:a6:07:bc:44:4f:17:5d:d9:38:c4:d9:20:b7:1d
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=GB, O=Comodo Limited, OU=Comodo Trust
> Network, OU=Terms and
> Conditions of use: http://www.comodo.net/repository,
> OU=(c)2002 Comodo Limited,
> CN=Comodo Class 3 Security Services CA
>         Validity
>             Not Before: Nov 12 00:00:00 2003 GMT
>             Not After : Nov 11 23:59:59 2004 GMT
>         Subject: C=US/2.5.4.17=94305, ST=California,
> L=Stanford/2.5.4.9=Polya
> Hall 251, O=Stanford University, OU=ITSS, OU=Issued through
> Stanford University
> E-PKI Manager, OU=PremiumSSL Wildcard, CN=*.stanford.edu

The rules for certificate usage don't allow wildcards in the Subject DN of a
cert. Wildcards are only allowed in subjectAltName extensions. (See RFC 2459,
wildcards are explicitly allowed in section 4.2.1.7 but are not mentioned at
all in section 4.1.2.6.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support