[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS: hostname does not match CN in peer certificate

To: "John Manning" <tri-racer@hotmail.com>
Subject: Re: TLS: hostname does not match CN in peer certificate
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 25 Oct 2005 19:37:44 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <BAY16-F25C872AB1EDA7655207AF7EA770@phx.gbl>
Organization: Telkom Internet
References: <BAY16-F25C872AB1EDA7655207AF7EA770@phx.gbl>
User-agent: KMail/1.8.2

On Monday 24 October 2005 22:49, John Manning wrote:
> On Monday 24 October 2005 19:49, Buchan Milne wrote:
> >No, the subject on the server's cert. You should be able to get it (the
> >value
> >following CN= in the subject line) with OpenSSL's s_client command:
> >$ openssl s_client -connect ldaphost:636
>
> Firstly, thanks so much for your help. I've made progress as a result
> (having been stuck for ages). I did as you suggested above. I got the
> following in the first few lines:
>
> $ openssl s_client -connect ldaphost:636
> CONNECTED(00000003)
> depth=1 /O=dev/OU=Organizational CA
> verify error:num=19:self signed certificate in certificate chain
> verify return:0

This is still the CA cert. Look further down the outout for the server cert.

Unfortunately I can't currently show you an example with working CA certs.

>
> Not sure if the "verify error" in there is terribly ominous or not.

You'd want to use the -CApath option to openssl s_client to check the validity 
of the cert (I omitted that the first time :-().

> Later 
> on, there was indeed a subject line, as you predicted, with a CN value that
> was FQDN-like (say foo.bar.tld). I popped this in /etc/hosts and tried an
> ldapsearch:
>
> $ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636 -ZZ
> ldap_initialize( ldaps://foo.bar.tld:636 )
> ldap_start_tls: Operations error (1)
>         additional info: TLS is is already established
>
> At first, I thought this might be due to some redundancy between the
> "ldaps" scheme, the 636 port number and the -ZZ option to start TLS.

It is.

> However, if I change the scheme to just "ldap" or change the port, I can't
> connect at all. If I get rid of the -ZZ, it doesn't know which external
> SASL mechanism to use. Stuck again.

Use -x to disable SASL.

>
> >You could disable certificate checking in the OpenLDAP ldap.conf (which
> >should
> >apply to php-ldap too).
>
> If this is the:
> TLS_REQCERT <level>
> option, I've tried playing around with that to no avail. It was at "allow"
> by default. I changed it to "never" but it didn't affect the above
> ldapsearch.

At this point you probably want to point OpenLDAP's ldap.conf at the CA cert:

TLS_CACERT /path/to/TrustedRootCert.pem


Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpl4iEYKSC7k.pgp
Description: PGP signature

References:
- Re: TLS: hostname does not match CN in peer certificate
  - From: "John Manning" <tri-racer@hotmail.com>

Prev by Date: Re: slurpd over ssl not tls
Next by Date: unicity of uid on all of the directory
Index(es):
- Chronological
- Thread