[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap client can't contact server with SubjectAltName used
- To: openldap-software@openldap.org
- Subject: Re: ldap client can't contact server with SubjectAltName used
- From: "Seed, Steven" <Steven.Seed@disney.com>
- Date: Mon, 12 Feb 2007 09:25:14 -0800
- In-reply-to: <45CD233A.5090305@disney.com>
- References: <45CD233A.5090305@disney.com>
- User-agent: Thunderbird 1.5.0.5 (X11/20060801)
Sending again, because I'm not sure if the first message got through
since I had not acknowledged my membership...
Steven Seed wrote:
I have an ldap server set up with a SSL certificate such that the
CN=hostname.fqdn. In the same certificate I have created a
SubjectAltName with several DNS aliases. With everything configured
properly in my ldap.conf file, I can make TLS connections to my ldap
server as long as I use the hostname that matches the CN, but if I
change my connection to use one of the aliases in the SubjectAltName I
get:
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer
certificate
Here is the end of the debug output...I can supply the full output,
but it's quite large:
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
tls_read: want=48, got=48
0000: 43 2b a5 b7 12 ef 88 f7 76 30 63 78 4c 16 99 0b
C+......v0cxL...
0010: 5f 26 f8 34 db 15 1b 24 e7 e2 bd 60 c4 25 b4 e4
_&.4...$...`.%..
0020: 0b d4 e7 27 f0 93 1b 6e 40 2a 5c ce a2 69 cd 2d
...'...n@*\..i.-
TLS: hostname (fatestldap.fas.fa.disney.com) does not match common
name in certificate (Proton.fas.fa.disney.com).
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer
certificate
An openssl dump of the certificate yields the following in the
SubjectAltName section:
Certificate:
Data:
CN=Proton.fas.fa.disney.com
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
email:dns:faldap,dns:fatestldap,dns:faldap.fas.fa.disney.com,dns:fatestldap.fas.fa.disney.com
X509v3 CRL Distribution Points:
DirName:/DC=com/DC=disney/OU=PKI/CN=The Walt Disney Company
Enterprise CA/CN=CRL27
URI:http://cdp.disney.pvt/CRL/EnterpriseCRL.crl
URI:http://cdp.disney.com/CRL/EnterpriseCRL.crl
Can anyone help me figure out what is going wrong? This is the same
with both version 2.2.13 and 2.3.32 of openldap. Does the
SubjectAltName format look correct?
--
Steven L. Seed
Sr. Systems Administrator
Walt Disney Feature Animation
(818) 460-9453 (tl:8426-9453)
Steven.Seed@disney.com
=================================================================
()
__/\__
|\ .-"` `"-. /| I HAVE BEEN CHOSEN...
| \.'( ') (' ) (. )`./ | FAREWELL MY FRIENDS...
\_ _/ I GO ONTO A BETTER PLACE!
\ `~"'=::='"~` /
`-.__ __.-'
( `""~~""` )
[_____[##]_____]
=================================================================