Seed, Steven wrote:
Sending again, because I'm not sure if the first message got through
since I had not acknowledged my membership...
Steven Seed wrote:
I have an ldap server set up with a SSL certificate such that the
CN=hostname.fqdn. In the same certificate I have created a
SubjectAltName with several DNS aliases. With everything configured
properly in my ldap.conf file, I can make TLS connections to my ldap
server as long as I use the hostname that matches the CN, but if I
change my connection to use one of the aliases in the SubjectAltName I
get:
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer
certificate
An openssl dump of the certificate yields the following in the
SubjectAltName section:
Certificate:
Data:
CN=Proton.fas.fa.disney.com
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
email:dns:faldap,dns:fatestldap,dns:faldap.fas.fa.disney.com,dns:fatestldap.fas.fa.disney.com
X509v3 CRL Distribution Points:
DirName:/DC=com/DC=disney/OU=PKI/CN=The Walt Disney Company
Enterprise CA/CN=CRL27
URI:http://cdp.disney.pvt/CRL/EnterpriseCRL.crl
URI:http://cdp.disney.com/CRL/EnterpriseCRL.crl
Can anyone help me figure out what is going wrong? This is the same
with both version 2.2.13 and 2.3.32 of openldap. Does the
SubjectAltName format look correct?
Your subjectAltName appears to have encoded an email extension with the
string "dns:....." as its value, instead of an actual dns extension. So
basically, your subjectAltName is wrong.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/
