[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldap_start_tls: Can't contact LDAP server



The RFC wasn't explicit on whether wildcards are allowed in the commonName
or not. The library only allows wildcards in a subjectAltName; the
commonName is expected to be a fully qualified domain name.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: Justin Wood [mailto:justin@flipdog.com]
> Sent: Monday, April 22, 2002 11:02 AM
> To: Howard Chu
> Cc: openldap-software@openldap.org
> Subject: Re: ldap_start_tls: Can't contact LDAP server
>
>
> It appears that it doesn't understand wildcard certs:
>
> TLS: hostname (fs1.p.flipdog.com) does not match common name in
> certificate (*.flipdog.com).
>
> -Justin.
>
> Howard Chu wrote:
> > Try running your slapd with debug set to -d 127 and then look at the TLS
> > trace messages.
> >
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> >
> >
> >>-----Original Message-----
> >>From: Justin Wood [mailto:justin@flipdog.com]
> >>Sent: Monday, April 22, 2002 10:03 AM
> >>To: Howard Chu
> >>Cc: openldap-software@OpenLDAP.org
> >>Subject: Re: ldap_start_tls: Can't contact LDAP server
> >>
> >>
> >>That's what I've got.  I created a CA cert, then a server certificate
> >>for *.flipdog.com which is signed by the CA cert.  That's all I have.
> >>
> >>-Justin.
> >>
> >>Howard Chu wrote:
> >>
> >>>>-----Original Message-----
> >>>>From: owner-openldap-software@OpenLDAP.org
> >>>>[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Justin Wood
> >>>
> >>>
> >>>>openssl s_client -connect ldapmaster.flipdog.com:636, and it seems to
> >>>>see the cert, but I get a response I'm not sure of.  Along with
> >>>>reporting the certificate it found, I see the following.
> >>>>
> >>>>verify error:num=19:self signed certificate in certificate chain
> >>>>
> >>>>Can anyone shed some light on this for me?
> >>>
> >>>
> >>>I believe this means you have more than one self-signed
> >>
> >>certificate in your
> >>
> >>>certificate chain. This shouldn't happen; you should have one
> root-level
> >>>Certificate Authority that has a self-signed cert, and then all other
> >>>(lower) certificates in a chain should be signed by a superior CA.
> >>>
> >>>  -- Howard Chu
> >>>  Chief Architect, Symas Corp.       Director, Highland Sun
> >>>  http://www.symas.com               http://highlandsun.com/hyc
> >>>  Symas: Premier OpenSource Development and Support
> >>>
> >>
> >>
> >>
> >>--
> >>----------------------------------------------------------
> >>Justin Wood				justin@flipdog.com
> >>Systems Administrator
> >>FlipDog.com
> >>		   http://www.flipdog.com/
> >>----------------------------------------------------------
> >
> >
>
>
>
> --
> ----------------------------------------------------------
> Justin Wood				justin@flipdog.com
> Systems Administrator
> FlipDog.com
> 		   http://www.flipdog.com/
> ----------------------------------------------------------