[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From: Howard Chu <hyc@symas.com>
Date: Wed, 25 Jul 2007 23:18:07 -0700
Cc: openldap-software@openldap.org
In-reply-to: <1i1ueto.13p8t95yuhotM%manu@netbsd.org>
References: <1i1ueto.13p8t95yuhotM%manu@netbsd.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a7pre) Gecko/2007072317 SeaMonkey/2.0a1pre

Emmanuel Dreyfus wrote:

Howard Chu <hyc@symas.com> wrote:
Though I suspect that in the 7 or so years that OpenLDAP has supported OpenSSL, many people have been confronted with this problem, read the docs, and implemented the solution and moved on to the next thing, without any fuss.
I am not sure I'm the only one that have the feeling he has lost too
many time to bring the parts together for a recurrent usage that could
have been better documented. Feedback from other users would be
interesting.
It may just mean there is a language barrier, something that would better be
served by a translation of OpenSSL docs into French.
So in your opinion, I'm basically compaining because I can't read
english? This is getting rude. :-/

It seems to me that you cannot read what is plainly in front of your face, for whatever reason. The fact that you can use environment variables to augment the OpenSSL configuration file is clearly documented at the top of the OpenSSL config(5) manual page. The use of "subjectAltName" has multiple examples in the default openssl.cnf file that is bundled with every OpenSSL release. The meaning of the word "alternative" in subjectAlternativeName is plain English, and again even the OpenLDAP Admin Guide says "Additional alias names and wildcards may be present in the subjectAltName certificate extension." The FAQ-o-Matic is pretty explicit too.

http://www.openldap.org/doc/admin23/tls.html#TLS%20Certificates
http://www.openldap.org/faq/index.cgi?file=185

Yet despite all the work you've put into this you've missed all of these very obvious things.

Your initial assertion that the documentation for this topic is hidden or unavailable is clearly wrong. You assertion that it is in general difficult to understand doesn't seem well supported either; googling for "subjectaltname openldap" returns hundreds of hits. So it falls to just the fact that you had a hard time understanding it. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Next by Date: Re: Configuring TLS
Index(es):
- Chronological
- Thread