Howard Chu <[email protected]> writes: > Dieter Kluenter wrote: >> Hi, >> I just wonder whether this is a bug in openSSL or in openLDAP, anyhow >> the subjectAltName attribute values are nor honoured. >> openssl-0.9.8k-3.5.3.x86_64 >> openldap-2.4.21 >> >> ldapwhoami -Y EXTERNAL -ZZ -H ldap://localhost >> ldap_start_tls: Connect error (-11) >> additional info: TLS: hostname does not match CN in peer certificate >> >> openssl x509 -in cert.pem -noout -text >> Subject: C=DE, L=Hamburg, O=AVCI, OU=Certificate Authority, >> CN=rubin.avci.de/[email protected] >> ... >> X509v3 Subject Alternative Name: >> DNS:localhost, DNS:ldap.xxxx.de, DNS:dkluenter.xxxx.org >> >> Not to mention that this is OK with other versions of openldap and >> openssl. [...] > Show the output with debugging enabled. Note that "localhost" is treated > specially, and will be replaced by the local hostname instead of being used > directly in the name comparison.
Found the culprit. As usual it is my beloved Yast :-) This is a new setup of openSUSE-11.2, /etc/hosts has following entries: 127.0.0.1 localhost ::1 localhost ipv6-localhost ipv6-loopback [ more ipv6 entries ] 127.0.0.2 rubin rubin 192.168.100.16 rubin.avci.de rubin [ more entries ] removing the 127.0.0.2 entry solved ist. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
