[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems with multiple DNS names in cert.
[ Howard Chu ]
> This error is generated on the client, not the server. Run
> ldapsearch with debugging enabled and look at the TLS verification
> messages to see what it's doing. By the way, the cert verification
> code hasn't changed since 2.1.13...
Hmm. Ok. This is with OL 2.1.16(both server and client):
beeblebrox.uio.no# /ldap/usr/bin/ldapsearch -x -h bb.uio.no -ZZ -s base -d -1
ldap_connect_to_host: TCP bb.uio.no:389
...
ldap_int_sasl_open: host=beeblebrox.uio.no
...
** Connections:
* host: bb.uio.no port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Mar 27 11:50:15 2003
...
TLS certificate verification: depth: 1, err: 0, subject: /C=NO/L=Oslo/O=University of Oslo/OU=Center for Information Technology Services (USIT)/CN=USIT CA/Email=webmaster@usit.uio.no, issuer: /C=NO/L=Oslo/O=University of Oslo/OU=Center for Information Technology Services (USIT)/CN=USIT CA/Email=webmaster@usit.uio.no
TLS certificate verification: depth: 0, err: 0, subject: /C=NO/O=University of Oslo/OU=Center for Information Technology Services (USIT)/CN=beeblebrox.uio.no/Email=katalog-drift@ulrik.uio.no, issuer: /C=NO/L=Oslo/O=University of Oslo/OU=Center for Information Technology Services (USIT)/CN=USIT CA/Email=webmaster@usit.uio.no
...
TLS: hostname (bb.uio.no) does not match common name in certificate (beeblebrox.uio.no).
ldap_perror
ldap_start_tls: Connect error (91)
additional info: TLS: hostname does not match CN in peer certificate
...
Is this a bug in ldapsearch, then? The server above is a test-server,
but I use the same method on my production-servers(CN=foo.uio.no,
DNSalias=ldap.uio.no).
Thanks for answering.
--
Mathias Meisfjordskar
GNU/Linux addict.
"If it works; HIT IT AGAIN!"