Re: Multi-homed machine and TLS

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

Imobach González Sosa <igonzalez@becarios.ulpgc.es> writes:

> El Miércoles, 15 de Septiembre de 2004 10:38, Imobach González Sosa escribió:
>> Hi all,

>
> Ok, we've generated a SSL certificate with 
> subjectAltName=DNS:name1.sub.domain.com,DNS:name2.domain.com
>
> If we type
>
> $ openssl s_client -CAfile /usr/share/ssl/certs/cacert.pem \
> -connect name2.domain.com:636 -tls1 -showcerts
>
> it seems to work pretty fine (subjectAltName attribute is listed). However, 
> when we try using ldapsearch, we've got a TLS error. It seems that it's only 
> checking the commonName (if we specify the commonName instead of one of the 
> aliases, it works).

It does work! My Server has the FQDN marin.l4b.de and the CNAME
ldap.l4b.de and kerberos.l4b.de, the client certificate contains the
subjectAltName=DNS: ldap.l4b.de localhost
A search on host ldap.4b.de is successful

,----[ success ]
| ldapsearch -H ldap://ldap.l4b.de -b ou=benchmark,o=avci,c=de -ZZ
| # search result
| search: 6
| result: 0 Success
| # numResponses: 2
| # numEntries: 1
`----

A search on host kerberos.l4b.de gives an error

,----[ wrong hostname ]
| ldapsearch -H ldap://kerberos.l4b.de -b ou=benchmark,o=avci,c=de -ZZ
| ldap_start_tls: Connect error (-11)
|  additional info: TLS: hostname does not match CN in peer certificate
`----

So you might check your certificate.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8C183C8622115328