[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Welcome to openldap-software

To: "'David Casti'" <david@neosynapse.net>, <openldap-software@OpenLDAP.org>
Subject: RE: Welcome to openldap-software
From: "Howard Chu" <hyc@highlandsun.com>
Date: Mon, 19 May 2003 19:54:59 -0700
Importance: Normal
In-reply-to: <BAEF0405.18AC8%david@neosynapse.net>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of David Casti

> Hello,
>
> I have the latest OpenLDAP and OpenSSL, and I'm trying to
> talk with an LDAP
> server that has an odd CN in its certificate.
>
> The FQDN is "foo.company.com", and the CN in its certificate is
> "CN=(foo|bar).company.com" ... openssl s_client validates the site
> correctly, but openldap gives the error "TLS: hostname does
> not match CN in
> peer certificate"

openssl only verifies that the signature on the cert matches the cert issuer.
It does not verify that the CN in the cert matches any particular hostname.

> I don't know if vertical bars are allowed in CNs like the
> certificate I
> have, but since the certificate came from Verisign, I suspect
> that they are
> OK, even if rarely used.

I'm not aware of any spec that allows this format.

> Is this a known bug in openldap?

No. The cert DN does not conform to the RFCs that dictate how certificates
are used with LDAP. (See RFC2830.)

> Is there a good work-around, short of buying a new certificate?

Since Verisign issued you a cert that is unsuitable for your intended use,
they should replace it for free.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: Welcome to openldap-software
  - From: David Casti <david@neosynapse.net>

Prev by Date: Re: Welcome to openldap-software
Next by Date: Get attribute value from another entry
Index(es):
- Chronological
- Thread