[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SSL



tir, 30.11.2004 kl. 17.26 skrev Chasecreek Systemhouse:

[...]

> > Looks better:) You're doing the wrong test though, so you don't get to
> > see the errnos. I don't believe for one minute that
> > debian.insecurity.org's IP no. as resolved by gethostbyname() is
> > 192.168.2.2 - I think it's 68.214.83.106:
> 
> So, even if I'm NOT doing internal tests over the public Internet
> (everything so far has been private IPs) I *still* have to put the
> public IP in this section:
> 
> subjectAltName=IP:192.168.2.2,DNS:debian.insecurity.org,DNS:*.insecurity.org,DNS:localhost.localdomain
> 
> Is that because the server can be "seen" over the public Internet?

Rethink. Internal domains (192.168.0.0/16) have nothing to do with
Internet domains. Either redesign your DNS so that you use split DNS
(e.g. internal domain maps 192.168.2.2/32 to debian.internal or some
such internal domain and use that in your cert for you host), or adjust
/etc/hosts on each and every machine to reflect the same. If, when doing
'hostname -f' it gives "debian.insecurity.org", that is plain wrong,
since it's on an RFC 1918 network. Rename it to debian.internal or
whatever.

I made a bad mistake in my last posting, wrote that gethostbyname uses
nss. It doesn't of course, it uses the resolv libraries.

--Tonni

-- 
Nothing sucksseeds like a pigeon without a beak ...

mail: tonye@billy.demon.nl
http://www.billy.demon.nl
 
They love us, don't they, They feed us, won't they ...