Re: TLS fails

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Wednesday, February 15, 2006 5:35 PM -0800 Howard Chu <hyc@symas.com> 
wrote:

> Kurt D. Zeilenga wrote:
> > At 03:41 PM 2/15/2006, Quanah Gibson-Mount wrote:
> >
> > > On Wednesday 15 February 2006 15:40, Jon Roberts wrote:
> > >
> > > ldapsearch -ZZZ -h 171.67.16.11 uid=quanah uid
> > > ldap_start_tls: Connect error (-11)
> > >        additional info: error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > Assuming the certificate doesn't list the
> > IP address 171.67.16.11 as a alternative subject
> > name (which ldapsearch(1) should check), correct.
>
> But in the case of the OpenLDAP libraries, it would state explicitly
> "hostname does not match". The above error message comes from the OpenSSL
> library, meaning that there is something fundamentally wrong with the
> certificate itself. Running with a higher debug level would be more
> useful (or you could look up error code 14090086 in the OpenSSL source).

There's nothing wrong with the cert, I'm guessing I forgot to tell it where 
to find the CA chain. ;)

tribes:~> ldapsearch -ZZZ -h 171.67.16.23 uid=quanah uid
ldap_start_tls: Connect error (-11)
       additional info: TLS: hostname does not match CN in peer certificate

is the correct error after fixing that. ;)

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html