[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS: hostname does not match CN in peer certificate

To: "John Manning" <tri-racer@hotmail.com>
Subject: Re: TLS: hostname does not match CN in peer certificate
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 24 Oct 2005 19:49:47 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <BAY16-F18D2DD45FB1304D4D44656EA770@phx.gbl>
Organization: Telkom Internet
References: <BAY16-F18D2DD45FB1304D4D44656EA770@phx.gbl>
User-agent: KMail/1.8.2

On Monday 24 October 2005 17:53, John Manning wrote:
> I need to have some web applications use a TLS/SSL connection to an LDAP
> server for authentication. I have previously done this successfully (to the
> same server) for a Java web application and now need to do it for a PHP
> application (which uses the installed OpenLDAP client to contact the remote
> LDAP server). I'm contacting the remote LDAP server by IP number and I'm
> getting:
>
> TLS: hostname does not match CN in peer certificate
>
> This seems consistent with section 3.6 of the the TLS extension to LDAP
> (http://www.rfc-editor.org/rfc/rfc2830.txt):
> "The client MUST use the server hostname it used to open the LDAP
> connection as the value to compare against the server name as expressed in
> the server's certificate.  The client MUST NOT use the server's canonical
> DNS name or any other derived form of name."

Note that this is the subject on the server certificate.

> The remote LDAP server is a Novell server, which is its own CA, and the
> certificate I was given has the following:
> $ openssl x509 -in TrustedRootCert.pem -noout -subject
> subject= /O=dev/OU=Organizational CA

This is the subject of the CA cert, *not* the server certificate.

> I'm assuming that I'm supposed to use a form of contacting the server that
> matches this subject information,

No, the subject on the server's cert. You should be able to get it (the value 
following CN= in the subject line) with OpenSSL's s_client command:
$ openssl s_client -connect ldaphost:636

> but I can't see how I can do so. (There 
> isn't even a CN part.) I tried putting the identifier 'dev' in /etc/hosts
> and use this instead of the IP number but that didn't work. It's not
> possible in the short term to get an alternative certificate due to
> staffing issues. Is there any way to get the OpenLDAP client to work with
> this certificate? The same certificate (or at least one generated from the
> same DER original, with the same subject) was used in a Java web
> application to securely authenticate against the same LDAP server. It's
> possible that the answer to this is just that OpenLDAP is more fussy about
> matching the supplied host to the subject of the certificate, but I'm
> hoping there's some way around it.

You could disable certificate checking in the OpenLDAP ldap.conf (which should 
apply to php-ldap too).

Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpNsUo8d5Jes.pgp
Description: PGP signature

Follow-Ups:
- Re: TLS: hostname does not match CN in peer certificate
  - From: "John Manning" <tri-racer@hotmail.com>

References:
- TLS: hostname does not match CN in peer certificate
  - From: "John Manning" <tri-racer@hotmail.com>

Prev by Date: TLS: hostname does not match CN in peer certificate
Next by Date: upgrading source base from 2.2.19 to 2.3.11
Index(es):
- Chronological
- Thread