[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS: hostname does not match CN in peer certificate
I need to have some web applications use a TLS/SSL connection to an LDAP
server for authentication. I have previously done this successfully (to the
same server) for a Java web application and now need to do it for a PHP
application (which uses the installed OpenLDAP client to contact the remote
LDAP server). I'm contacting the remote LDAP server by IP number and I'm
getting:
TLS: hostname does not match CN in peer certificate
This seems consistent with section 3.6 of the the TLS extension to LDAP
(http://www.rfc-editor.org/rfc/rfc2830.txt):
"The client MUST use the server hostname it used to open the LDAP connection
as the value to compare against the server name as expressed in the server's
certificate. The client MUST NOT use the server's canonical DNS name or any
other derived form of name."
The remote LDAP server is a Novell server, which is its own CA, and the
certificate I was given has the following:
$ openssl x509 -in TrustedRootCert.pem -noout -subject
subject= /O=dev/OU=Organizational CA
I'm assuming that I'm supposed to use a form of contacting the server that
matches this subject information, but I can't see how I can do so. (There
isn't even a CN part.) I tried putting the identifier 'dev' in /etc/hosts
and use this instead of the IP number but that didn't work. It's not
possible in the short term to get an alternative certificate due to staffing
issues. Is there any way to get the OpenLDAP client to work with this
certificate? The same certificate (or at least one generated from the same
DER original, with the same subject) was used in a Java web application to
securely authenticate against the same LDAP server. It's possible that the
answer to this is just that OpenLDAP is more fussy about matching the
supplied host to the subject of the certificate, but I'm hoping there's some
way around it. Is there any way I can work with the existing certificate?
Can I generate something from it that will work?
Thanks in advance,
John Manning.
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/