[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL problems, certificate missmatch

To: Leila Lappin <galaxylappin@comcast.net>, OpenLDAP-software@OpenLDAP.org
Subject: Re: SSL problems, certificate missmatch
From: Norbert Klasen <norbert.klasen@daasi.de>
Date: Fri, 12 Apr 2002 09:56:33 +0200
Content-disposition: inline
In-reply-to: <052d01c1e1fe$14637650$600b2644@verona01.nj.comcast.net>
References: <052d01c1e1fe$14637650$600b2644@verona01.nj.comcast.net>

--On Freitag, 12. April 2002 01:43 -0700 Leila Lappin <galaxylappin@comcast.net> wrote:

I came across this problem because when I do ldapsearch without -ZZ I get
the data I'm expecting to see.  But when I do the same search with -ZZ
option I only get "ldap_start_tls: Success" and no data.   I looked
through diagnostics on the client side and saw an error with mismatched
hostnames on certificates.  It's clear that two different certificates
are being used by the client and server but why and how can I fix it?

You need to use the hostname that is specified in the certificate (either as CN attribute in the DN or as subjectAltName of type DNS) as the hostname you connect to. If these two don't match, the connection is aborted because this mismatch could result from a Man-in-the-Middle attack.

--
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de

Follow-Ups:
- Re: SSL problems, certificate missmatch
  - From: Leila Lappin <galaxylappin@comcast.net>

References:
- SSL problems, certificate missmatch
  - From: Leila Lappin <galaxylappin@comcast.net>

Prev by Date: Re: ldapsearch case insensitive
Next by Date: RE: why doesn't my plain text password show a plain text value?
Index(es):
- Chronological
- Thread