[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[Fedora-directory-users] Re: Hostname does not match CN

From: Howard Chu <hyc symas com>
To: fedora-directory-users redhat com
Subject: [Fedora-directory-users] Re: Hostname does not match CN
Date: Wed, 05 Apr 2006 12:34:12 -0700

Date: Tue, 04 Apr 2006 11:30:30 -0700
From: "George Holbert" <gholbert broadcom com>
Does Directory Server support the subjectAltName extension on SSL certs?
Yes, the NSS toolkit which Directory Server uses can handle these certs.

The next question is, do your SSL-enabled LDAP clients support these certs?
I need to support both Solaris and RedHat Linux LDAP name serviceclients (i.e., passwd, group, automount, etc.). I've found that:
- Solaris clients can handle wildcard certs.  RHEL 3 clients can't.
- RHEL 3 clients can handle subjectAltName certs.  Solaris clients can't.
So, while the server can present either of these cert types, yourclients' limitations will also influence how you sign your certs.

Someone should file a bug report with Sun then, since LDAP RFC2830defines support for subjectAltName and not for wildcard certs. TheLDAPbis specifications will be pretty much the same here. I.e., Sun'sLDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries,which are fully LDAPv3 compliant.


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: [Fedora-directory-users] Re: Hostname does not match CN
  - From: George Holbert
- [Fedora-directory-users] SubjectAltName how does it work?
  - From: Alex aka Magobin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]