[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL problems, certificate missmatch



Hello,

I'm not passing hostname to ldapsearch becuase I have only the default
hostnames (localhost.localadmin) setup.  I start the server passing -h
"ldap:/// ldaps:///" which are supposed to use the default hostname.  So I
can't see how I'm passing different hostnames.

I guess my problem is that I don't know where ldapsearch is getting the
information for what certificate to use, if I knew that then I could copy
the right certificate for it to use.  Any suggestions please?

----- Original Message -----
From: "Norbert Klasen" <norbert.klasen@daasi.de>
To: "Leila Lappin" <galaxylappin@comcast.net>;
<OpenLDAP-software@OpenLDAP.org>
Sent: Friday, April 12, 2002 12:56 AM
Subject: Re: SSL problems, certificate missmatch


>
>
> --On Freitag, 12. April 2002 01:43 -0700 Leila Lappin
> <galaxylappin@comcast.net> wrote:
>
> > I came across this problem because when I do ldapsearch without -ZZ I
get
> > the data I'm expecting to see.  But when I do the same search with -ZZ
> > option I only get "ldap_start_tls: Success" and no data.   I looked
> > through diagnostics on the client side and saw an error with mismatched
> > hostnames on certificates.  It's clear that two different certificates
> > are being used by the client and server but why and how can I fix it?
>
> You need to use the hostname that is specified in the certificate (either
> as CN attribute in the DN or as subjectAltName of type DNS) as the
hostname
> you connect to. If these two don't match, the connection is aborted
because
> this  mismatch could result from a Man-in-the-Middle attack.
>
> --
> Norbert Klasen, Dipl.-Inform.
> DAASI International GmbH                 phone: +49 7071 29 70336
> Wilhelmstr. 106                          fax:   +49 7071 29 5114
> 72074 Tübingen                           email: norbert.klasen@daasi.de
> Germany                                  web:   http://www.daasi.de
>
>