[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS: hostname does not match CN in peer certificate
On Monday 24 October 2005 19:49, Buchan Milne wrote:
No, the subject on the server's cert. You should be able to get it (the
value
following CN= in the subject line) with OpenSSL's s_client command:
$ openssl s_client -connect ldaphost:636
Firstly, thanks so much for your help. I've made progress as a result
(having been stuck for ages). I did as you suggested above. I got the
following in the first few lines:
$ openssl s_client -connect ldaphost:636
CONNECTED(00000003)
depth=1 /O=dev/OU=Organizational CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
Not sure if the "verify error" in there is terribly ominous or not. Later
on, there was indeed a subject line, as you predicted, with a CN value that
was FQDN-like (say foo.bar.tld). I popped this in /etc/hosts and tried an
ldapsearch:
$ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636 -ZZ
ldap_initialize( ldaps://foo.bar.tld:636 )
ldap_start_tls: Operations error (1)
additional info: TLS is is already established
At first, I thought this might be due to some redundancy between the "ldaps"
scheme, the 636 port number and the -ZZ option to start TLS. However, if I
change the scheme to just "ldap" or change the port, I can't connect at all.
If I get rid of the -ZZ, it doesn't know which external SASL mechanism to
use. Stuck again.
You could disable certificate checking in the OpenLDAP ldap.conf (which
should
apply to php-ldap too).
If this is the:
TLS_REQCERT <level>
option, I've tried playing around with that to no avail. It was at "allow"
by default. I changed it to "never" but it didn't affect the above
ldapsearch.
Thanks again,
John.
_________________________________________________________________
Get Windows Desktop Search - part of the all-new MSN Toolbar!
http://messenger.msn.co.uk