[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Subject Alternative Name in TLS - does this work?

To: Howard Chu <hyc@symas.com>, lejeczek <peljasz@yahoo.co.uk>, Christian Kratzer <ck@cksoft.de>
Subject: RE: Subject Alternative Name in TLS - does this work?
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Date: Mon, 21 Oct 2013 09:29:39 -0700
Accept-language: en-US
Acceptlanguage: en-US
Cc: Christian Kratzer <ck-lists@cksoft.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <5264FC1A.70109@symas.com>
References: <52600718.4000807@yahoo.co.uk> <alpine.BSF.2.00.1310181134000.88246@pohjola.cksoft.de> <52610CB7.9080800@yahoo.co.uk> <alpine.BSF.2.00.1310181254500.88246@pohjola.cksoft.de> <526137FB.90408@yahoo.co.uk> <alpine.BSF.2.00.1310181533530.88246@pohjola.cksoft.de> <5264E79B.7050300@yahoo.co.uk> <alpine.BSF.2.00.1310211059040.88246@pohjola.cksoft.de> <5264F369.9040800@yahoo.co.uk> <5264FC1A.70109@symas.com>
Thread-index: Ac7ORPEIDxWDwkX0RGKRh3lON1eM0wANXA5Q
Thread-topic: Subject Alternative Name in TLS - does this work?


> -----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-
> technical-bounces@OpenLDAP.org] On Behalf Of Howard Chu
> Sent: Monday, October 21, 2013 3:04 AM
> To: lejeczek; Christian Kratzer
> Cc: Christian Kratzer; openldap-technical@openldap.org
> Subject: Re: Subject Alternative Name in TLS - does this work?
>
> lejeczek wrote:
> > that was me, the way I tried to sing certificate were...
> > incorrect
> >
> > apologies and great and many thanks to everybody
> >
> > I can now ldapsearch on both slapd.domain.local and
> > slap.domain.external with -ZZZ, all good (only cannot confirm if CN
> > has to be repeated in subjectAltName as per Olo's tip, currently it IS
> > repeatedin my cert)
>
> No. The CN does not need to be repeated, anyone who says so is wrong.
> Other libraries (e.g. old Solaris/Sun/Mozilla LDAP) may have required this but
> they are defective and obsolete. The Mozilla LDAP SDK has been abandoned,
> and Solaris 11 now bundles OpenLDAP.
>

True, but putting the subject in the SAN list isn't bad or wrong per se.
A bit like offering wheel ramps for those older libraries/clients, even though newer stuff exists obsoleting those ramps.
- chris

> --
>    -- Howard Chu
>    CTO, Symas Corp.           http://www.symas.com
>    Director, Highland Sun     http://highlandsun.com/hyc/
>    Chief Architect, OpenLDAP  http://www.openldap.org/project/


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

References:
- Subject Alternative Name in TLS - does this work?
  - From: lejeczek <peljasz@yahoo.co.uk>
- Re: Subject Alternative Name in TLS - does this work?
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: Subject Alternative Name in TLS - does this work?
  - From: lejeczek <peljasz@yahoo.co.uk>
- Re: Subject Alternative Name in TLS - does this work?
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: Subject Alternative Name in TLS - does this work?
  - From: lejeczek <peljasz@yahoo.co.uk>
- Re: Subject Alternative Name in TLS - does this work?
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: Subject Alternative Name in TLS - does this work?
  - From: lejeczek <peljasz@yahoo.co.uk>
- Re: Subject Alternative Name in TLS - does this work?
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: Subject Alternative Name in TLS - does this work?
  - From: lejeczek <peljasz@yahoo.co.uk>
- Re: Subject Alternative Name in TLS - does this work?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: prevent mail loops using constraint overlay
Next by Date: Re: Pass-through authentication to Active Directory when using saslbind
Index(es):
- Chronological
- Thread