[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Subject Alternative Name in TLS - does this work?
- To: openldap-technical@openldap.org
- Subject: Re: Subject Alternative Name in TLS - does this work?
- From: lejeczek <peljasz@yahoo.co.uk>
- Date: Fri, 18 Oct 2013 11:25:59 +0100
- Cc: Christian Kratzer <ck@cksoft.de>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1382091960; bh=To5wGPwLahVP+Ov2KYrsf1VCUH0Yr0W1hA6qcUEB3eI=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=xARdbGfl/n/WKrLS2Rj+RHoZiVGxSVejWxDV3nwOjEJENLucN5QSiKFMudSK7qJ8y6tCUr1JRPphLytuVqZYsFuoGrQFwa35MYFQaQUlAlvPhn1rNqw6C5Qlyb644skWRqSzFqlYgd6sH+gMS06xF7DnvHXseSTPao69a3OfaM8=
- In-reply-to: <alpine.BSF.2.00.1310181134000.88246@pohjola.cksoft.de>
- References: <52600718.4000807@yahoo.co.uk> <alpine.BSF.2.00.1310181134000.88246@pohjola.cksoft.de>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8
On 10/18/2013 10:41 AM, Christian Kratzer wrote:
Hi,
On Thu, 17 Oct 2013, lejeczek wrote:
dear all
I'm trying to set a seeminglysimple setup
having a box with openldap I want it to use TLS on both
internal and external hostnames/IPs
openldap was set up earlier and was/is working
I generate TLS certificate with SAN
everything seems working fine
but
when I ldapsearch on external fqdn/IP (which in the
certificate is the subjectAltName) search fails
whereas it succeeds on internal fqdn(which is the
hostname/ CN in the certificate)
error is: additional info: TLS error -8157:Certificate
extension not found.
is such a scenario even possible? having very same DN
being served on more than one name via TLS?
If this is what you are looking for I can confirm that I
have a setup with ldaps:// and ldap:// with TLS that uses
subjectAltNames in the certificates.
Relevant parts of the x509 cert with customer name obfuscated
We have this on one server:
Subject: C=XX, ST=State, L=City, O=Company,
CN=ldap1.example.org
X509v3 Subject Alternative Name:
DNS:ldap1.example.org, DNS:ldap1,
DNS:ldap-cluster.example.org, DNS:ldap-cluster
We have this on the other server:
Subject: C=XX, ST=State, L=City, O=Company,
CN=ldap2.example.org
X509v3 Subject Alternative Name:
DNS:ldap2.example.org, DNS:ldap2,
DNS:ldap-cluster.example.org, DNS:ldap-cluster
We can connect to ldap-cluster.example.org just fine
independent of to which server the load balancer directs
the tcp connection to.
This is using openldap-2.4.36
hi Christian
my case is, well should be a lot more simpler, one box with
slapd.local.domain
slap.public.external
and this one host I would like to be able to search through
on/via both hostnames/IPs with TLS
so I issue myself and sign a certificate, CA issuer is
CA.local.domain
Subject: .......... CN=slapd.local.domain/email.........
and
X509v3 Subject Alternative Name:
DNS:slap.public.external, IP
Address:ex.te.rn.al
ldapsearch -h slap.public.external -D
cn=manager,dc=local,dc=domain ....
result:
TLS: hostname (slap.public.external) does not match common
name in certificate (slapd.local.domain).
TLS: can't connect: TLS error -8157:Certificate extension
not found..
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension
not found.
whereas:
ldapsearch -h slap.local.domain -D cn=manager,dc=local,dc=domain
works fine
could it be tools from be openldap-clients, a bug? Apache's
ldap toolkit for Eclipse seems to work and connects to
slap.public.external
??
btw, being novice with openssl, is there a way to print
extensions thus SAN of a certificate?
I can print and see it on the request.
regards
Greetings
Christian