[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subject Alternative Name in TLS - does this work?



It should work, but depends on the checks performed by the TLS+crypto toolkit.

Using the CN to hold the hostname/IP is deprecated, and this field is now ignored by some libraries if the SAN extension is present.


2013/10/17 lejeczek <peljasz@yahoo.co.uk>
dear all

I'm trying to set a seeminglysimple setup
having a box with openldap I want it to use TLS on both internal and external hostnames/IPs

openldap was set up earlier and was/is working
I generate TLS certificate with SAN
everything seems working fine
but
when I ldapsearch on external fqdn/IP (which in the certificate is the subjectAltName) search fails
whereas it succeeds on internal fqdn(which is the hostname/ CN in the certificate)

error is: additional info: TLS error -8157:Certificate extension not found.

is such a scenario even possible? having very same DN being served on more than one name via TLS?

best wishes




--
Erwann.