[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL problems, certificate missmatch [ new details ]
Hi Norbert,
I did what you recommended, but I got the same error whether I pass FQDN or
"localhost" to ldapsearch. The reason seems to show in the following
diagnostics as ldap_connect_to_host: always tries to use my ISP provided IP
address. On the other hand I created a new certificate with CN= localhost.
Is there a way around this so I can use loopback (localhost)?
Thanks in advance for any further input and advice
Leila
The response ------- snip ---------------------------
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying XX.YY.Z.214:389 <========= my IP address
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: FQDN <========= my
FQDN
ldap_delayed_open successful, ld_host is (null)
ldap_send_server_request
......
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, subject:
/C=US/ST=Some-State/O=self/OU=section/CN=localhost/Email=galaxylappin@comcas
t.net, issuer:
/C=US/ST=Some-State/O=self/OU=section/CN=localhost/Email=galaxylappin@comcas
t.net
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (FQDN) does not match
common name in certificate (localhost).ldap_perror
ldap_start_tls: Success
---------------------------snip --------------------------------------------
----- Original Message -----
From: "Norbert Klasen" <norbert.klasen@daasi.de>
To: "Leila Lappin" <galaxylappin@comcast.net>;
<OpenLDAP-software@OpenLDAP.org>
Sent: Friday, April 12, 2002 6:34 AM
Subject: Re: SSL problems, certificate missmatch
>
>
> --On Freitag, 12. April 2002 08:30 -0700 Leila Lappin
> <galaxylappin@comcast.net> wrote:
>
> > I'm not passing hostname to ldapsearch becuase I have only the default
> > hostnames (localhost.localadmin) setup. I start the server passing -h
> > "ldap:/// ldaps:///" which are supposed to use the default hostname. So
I
> > can't see how I'm passing different hostnames.
>
> The -h Parameter to ldapsearch needs to be hostname that is stored in the
> server's certificate. Just using
> ldapsearch -b somebase type=value
> will use localhost as the hostname. This is probably not what you have in
> your certificate. Try
> ldapserach -h FQDN -b somebase type=value
> where FQDN is the fully qualified domain name of your server.
>
> See also RFC2830.
>
> --
> Norbert Klasen, Dipl.-Inform.
> DAASI International GmbH phone: +49 7071 29 70336
> Wilhelmstr. 106 fax: +49 7071 29 5114
> 72074 Tübingen email: norbert.klasen@daasi.de
> Germany web: http://www.daasi.de
>
>