Re: Subject Alternative Name in TLS - does this work?

Fri, 18 Oct 2013 06:32:39 -0700 


On 10/18/2013 11:59 AM, Christian Kratzer wrote:

Hi,

On Fri, 18 Oct 2013, lejeczek wrote:
<snipp/>

hi Christian

my case is, well should be a lot more simpler, one box with

slapd.local.domain
slap.public.external
and this one host I would like to be able to search through on/via both hostnames/IPs with TLS so I issue myself and sign a certificate, CA issuer is CA.local.domain 

Subject: .......... CN=slapd.local.domain/email.........
and
X509v3 Subject Alternative Name:
DNS:slap.public.external, IP Address:ex.te.rn.al
ldapsearch -h slap.public.external -D cn=manager,dc=local,dc=domain .... 
result:
TLS: hostname (slap.public.external) does not match common name in certificate (slapd.local.domain). TLS: can't connect: TLS error -8157:Certificate extension not found.. 
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found. 

whereas:
ldapsearch -h slap.local.domain -D cn=manager,dc=local,dc=domain 
works fine
could it be tools from be openldap-clients, a bug? Apache's ldap toolkit for Eclipse seems to work and connects to slap.public.external
this should work. It does in two separate setups that I maintain. 

Which version is your openldap client ?

whole toolkit is Redhats 2.4.23-31.el6.x86_64 on RHEL 6.4
Have you configured the CA certificate for trust ? I have following in my /usr/local/etc/openldap/ldap.conf to configure the CA certificate:
for ldapsearch I use args in line for the command, also debug it and see that wanted certificate is pulled in 


    [ck@ldaptest1]$ cat ~ldap/ldap.conf
    BASE dc=example,dc=org
    URI ldap://ldaptest1.cksoft.de
TLS_CACERT /usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert 
    TLS_REQCERT demand
btw, being novice with openssl, is there a way to print extensions thus SAN of a certificate? 
I can print and see it on the request.


use following to dump the certificate:

    openssl s_client -text -in CERT.pem
and no such things for s_clients in the toolkit version as above, 
I normally view a certificate with:
openssl x509 -issuer -subject -enddate -noout -text -in CERT.pem -- and I cannot see subjectAltNames
how could it be, given above is the right way to get all relevant info of a certificate that request has subjectAltNames but actual certificate misses it? 



You should see the subjectAltNames.

If not your certificate is broken.

Greetings
Christian

Reply via email to