[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL problems, certificate missmatch

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: SSL problems, certificate missmatch
From: Charlie Reitsma <reitsmac@denison.edu>
Date: Fri, 12 Apr 2002 14:23:02 -0400
References: <052d01c1e1fe$14637650$600b2644@verona01.nj.comcast.net> <1945665218.1018605393@localhost> <007a01c1e236$f2d0dc10$600b2644@verona01.nj.comcast.net>

I found I have to start the server with:
-h "ldap:/// ldaps:///"
in order to get two listeners started. Check yours with the -d 9 debug
setting to see.

Then browse to https://host:636/ to get the certificate into a web browser
like netscape and ignore the "document has no content" message after the
certificate dialog.

LDAP Browser 2.8.2 asked if I wanted to accept the certificate after checking
the "Secure" check box. I suppose different clients will behave differently.

Leila Lappin wrote:
> 
> Hello,
> 
> I'm not passing hostname to ldapsearch becuase I have only the default
> hostnames (localhost.localadmin) setup.  I start the server passing -h
> "ldap:/// ldaps:///" which are supposed to use the default hostname.  So I
> can't see how I'm passing different hostnames.
> 
> I guess my problem is that I don't know where ldapsearch is getting the
> information for what certificate to use, if I knew that then I could copy
> the right certificate for it to use.  Any suggestions please?
> 
> ----- Original Message -----
> From: "Norbert Klasen" <norbert.klasen@daasi.de>
> To: "Leila Lappin" <galaxylappin@comcast.net>;
> <OpenLDAP-software@OpenLDAP.org>
> Sent: Friday, April 12, 2002 12:56 AM
> Subject: Re: SSL problems, certificate missmatch
> 
> >
> >
> > --On Freitag, 12. April 2002 01:43 -0700 Leila Lappin
> > <galaxylappin@comcast.net> wrote:
> >
> > > I came across this problem because when I do ldapsearch without -ZZ I
> get
> > > the data I'm expecting to see.  But when I do the same search with -ZZ
> > > option I only get "ldap_start_tls: Success" and no data.   I looked
> > > through diagnostics on the client side and saw an error with mismatched
> > > hostnames on certificates.  It's clear that two different certificates
> > > are being used by the client and server but why and how can I fix it?
> >
> > You need to use the hostname that is specified in the certificate (either
> > as CN attribute in the DN or as subjectAltName of type DNS) as the
> hostname
> > you connect to. If these two don't match, the connection is aborted
> because
> > this  mismatch could result from a Man-in-the-Middle attack.
> >
> > --
> > Norbert Klasen, Dipl.-Inform.
> > DAASI International GmbH                 phone: +49 7071 29 70336
> > Wilhelmstr. 106                          fax:   +49 7071 29 5114
> > 72074 Tübingen                           email: norbert.klasen@daasi.de
> > Germany                                  web:   http://www.daasi.de
> >
> >

References:
- SSL problems, certificate missmatch
  - From: Leila Lappin <galaxylappin@comcast.net>
- Re: SSL problems, certificate missmatch
  - From: Norbert Klasen <norbert.klasen@daasi.de>
- Re: SSL problems, certificate missmatch
  - From: Leila Lappin <galaxylappin@comcast.net>

Prev by Date: big changetype vs. small
Next by Date: Re: Iplanet Vs. Openldap
Index(es):
- Chronological
- Thread