[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS: hostname does not match CN in peer certificate



I need to have some web applications use a TLS/SSL connection to an LDAP server for authentication. I have previously done this successfully (to the same server) for a Java web application and now need to do it for a PHP application (which uses the installed OpenLDAP client to contact the remote LDAP server). I'm contacting the remote LDAP server by IP number and I'm getting:

TLS: hostname does not match CN in peer certificate

This seems consistent with section 3.6 of the the TLS extension to LDAP
(http://www.rfc-editor.org/rfc/rfc2830.txt):
"The client MUST use the server hostname it used to open the LDAP connection as the value to compare against the server name as expressed in the server's certificate. The client MUST NOT use the server's canonical DNS name or any other derived form of name."


The remote LDAP server is a Novell server, which is its own CA, and the certificate I was given has the following:
$ openssl x509 -in TrustedRootCert.pem -noout -subject
subject= /O=dev/OU=Organizational CA


I'm assuming that I'm supposed to use a form of contacting the server that matches this subject information, but I can't see how I can do so. (There isn't even a CN part.) I tried putting the identifier 'dev' in /etc/hosts and use this instead of the IP number but that didn't work. It's not possible in the short term to get an alternative certificate due to staffing issues. Is there any way to get the OpenLDAP client to work with this certificate? The same certificate (or at least one generated from the same DER original, with the same subject) was used in a Java web application to securely authenticate against the same LDAP server. It's possible that the answer to this is just that OpenLDAP is more fussy about matching the supplied host to the subject of the certificate, but I'm hoping there's some way around it. Is there any way I can work with the existing certificate? Can I generate something from it that will work?

Thanks in advance,

John Manning.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/