[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS: hostname does not match CN in peer certificate



On Monday 24 October 2005 19:49, Buchan Milne wrote:
No, the subject on the server's cert. You should be able to get it (the value
following CN= in the subject line) with OpenSSL's s_client command:
$ openssl s_client -connect ldaphost:636

Firstly, thanks so much for your help. I've made progress as a result (having been stuck for ages). I did as you suggested above. I got the following in the first few lines:


$ openssl s_client -connect ldaphost:636
CONNECTED(00000003)
depth=1 /O=dev/OU=Organizational CA
verify error:num=19:self signed certificate in certificate chain
verify return:0

Not sure if the "verify error" in there is terribly ominous or not. Later on, there was indeed a subject line, as you predicted, with a CN value that was FQDN-like (say foo.bar.tld). I popped this in /etc/hosts and tried an ldapsearch:

$ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636 -ZZ
ldap_initialize( ldaps://foo.bar.tld:636 )
ldap_start_tls: Operations error (1)
       additional info: TLS is is already established

At first, I thought this might be due to some redundancy between the "ldaps" scheme, the 636 port number and the -ZZ option to start TLS. However, if I change the scheme to just "ldap" or change the port, I can't connect at all. If I get rid of the -ZZ, it doesn't know which external SASL mechanism to use. Stuck again.

You could disable certificate checking in the OpenLDAP ldap.conf (which should
apply to php-ldap too).

If this is the:
TLS_REQCERT <level>
option, I've tried playing around with that to no avail. It was at "allow" by default. I changed it to "never" but it didn't affect the above ldapsearch.


Thanks again,

John.

_________________________________________________________________
Get Windows Desktop Search - part of the all-new MSN Toolbar! http://messenger.msn.co.uk