[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: start_tls: connect error

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: start_tls: connect error
From: Howard Chu <hyc@symas.com>
Date: Tue, 12 Jan 2010 16:42:43 -0800
Cc: openldap-software@openldap.org
In-reply-to: <87vdf7kueq.fsf@dkluenter.de>
References: <87vdf7kueq.fsf@dkluenter.de>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.3a1pre) Gecko/20091218 SeaMonkey/2.0a1pre Firefox/3.0.3

Dieter Kluenter wrote:
> Hi,
> I just wonder whether this is a bug in openSSL or in openLDAP, anyhow
> the subjectAltName attribute values are nor honoured. 
> openssl-0.9.8k-3.5.3.x86_64
> openldap-2.4.21
> 
> ldapwhoami -Y EXTERNAL -ZZ -H ldap://localhost
> ldap_start_tls: Connect error (-11)
> additional info: TLS: hostname does not match CN in peer certificate
> 
> openssl x509 -in cert.pem -noout -text
> Subject: C=DE, L=Hamburg, O=AVCI, OU=Certificate Authority, CN=rubin.avci.de/emailAddress=hdk@dkluenter.de
> ...
> X509v3 Subject Alternative Name: 
>  DNS:localhost, DNS:ldap.xxxx.de, DNS:dkluenter.xxxx.org
> 
> Not to mention that this is OK with other versions of openldap and
> openssl.
> 
> -Dieter
> 
Show the output with debugging enabled. Note that "localhost" is treated
specially, and will be replaced by the local hostname instead of being used
directly in the name comparison.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: start_tls: connect error
  - From: Michael Ströder <michael@stroeder.com>
- Re: start_tls: connect error
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- start_tls: connect error
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: start_tls: connect error
Next by Date: Re: start_tls: connect error
Index(es):
- Chronological
- Thread