[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subject Alternative Name in TLS - does this work?

Am Fri, 18 Oct 2013 14:30:35 +0100
schrieb lejeczek <peljasz@yahoo.co.uk>:

> 
> On 10/18/2013 11:59 AM, Christian Kratzer wrote:
> > Hi,
> >
> > On Fri, 18 Oct 2013, lejeczek wrote:
> > <snipp/>
> >> hi Christian
> >>
> >> my case is, well should be a lot more simpler, one box with
> >>
> >> slapd.local.domain
> >> slap.public.external
> >>
> >> and this one host I would like to be able to search 
> >> through on/via both hostnames/IPs with TLS
> >> so I issue myself and sign a certificate, CA issuer is 
> >> CA.local.domain
> >>
> >> Subject: .......... CN=slapd.local.domain/email.........
> >> and
> >> X509v3 Subject Alternative Name:
> >>                DNS:slap.public.external, IP 
> >> Address:ex.te.rn.al
> >>
> >> ldapsearch -h slap.public.external -D 
> >> cn=manager,dc=local,dc=domain ....
> >> result:
> >> TLS: hostname (slap.public.external) does not match 
> >> common name in certificate (slapd.local.domain).
> >> TLS: can't connect: TLS error -8157:Certificate extension 
> >> not found..
> >> ldap_start_tls: Connect error (-11)
> >>    additional info: TLS error -8157:Certificate extension 
> >> not found.
> >>
> >> whereas:
> >> ldapsearch -h slap.local.domain -D 
> >> cn=manager,dc=local,dc=domain
> >> works fine
> >> could it be tools from be openldap-clients, a bug? 
> >> Apache's ldap toolkit for Eclipse seems to work and 
> >> connects to slap.public.external
> >
> > this should work.  It does in two separate setups that I 
> > maintain.
> >
> > Which version is your openldap client ?
> whole toolkit is Redhats 2.4.23-31.el6.x86_64 on RHEL 6.4
> >
> > Have you configured the CA certificate for trust ? I have 
> > following in my /usr/local/etc/openldap/ldap.conf to 
> > configure the CA certificate:
> >
> for ldapsearch I use args in line for the command, also 
> debug it and see that wanted certificate is pulled in
> 
> >     [ck@ldaptest1]$ cat ~ldap/ldap.conf
> >     BASE dc=example,dc=org
> >     URI ldap://ldaptest1.cksoft.de
> >     TLS_CACERT 
> > /usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert 
> >
> >     TLS_REQCERT demand
> >
> >> btw, being novice with openssl, is there a way to print 
> >> extensions thus SAN of a certificate?
> >> I can print and see it on the request.
> >
> > use following to dump the certificate:
> >
> >     openssl s_client -text -in CERT.pem
> and no such things for s_clients in the toolkit version as 
> above,
> I normally view a certificate with:
> 
> openssl x509 -issuer -subject -enddate -noout -text -in 
> CERT.pem -- and I cannot see subjectAltNames
> 
> how could it be, given above is the right way to get all 
> relevant info of a certificate that request has 
> subjectAltNames but actual certificate misses it?

You are requesting just a reduced set of data,

openssl x509 -text -noout -in CERT.pem will present all relevant data. 
 
-Dieter
-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E