[Fedora-directory-users] Re: problem with cert for ssl on RHAS5
Howard Chu
hyc at symas.com
Wed Dec 5 15:06:05 UTC 2007
> Date: Wed, 5 Dec 2007 15:37:53 +1300
> From: "Steven Jones" <Steven.Jones at vuw.ac.nz>
> Is there a way to search the list archives for topics?
>
> Such as say,
>
> "ldap_start_tls: Connect error (-11)
> additional info: TLS: hostname does not match CN in peer
> certificate"
Since the above message comes from the OpenLDAP tools/library, you'd have
better luck searching the OpenLDAP archives. www.openldap.org.
>> So what did I do wrong?
> ----
> probably should only use uri and not host in /etc/openldap/ldap.conf
>
> yep, I can take that out....
>
> And it's clear that
>
> ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate)
>
> Sorry I fail to see it as that clear (until now you explain it anyway!)
>
> ....Working through the FDS/RDS documentation I seem to have failed to
> notice that it clearly (if at all???) explains what cn= should equal or
> indeed the setting in the ldap.conf needs to be the same....in terms of
> DNS they do equal as ldap is a CNAME of vuwunicvfdsm001....
This is explained in the OpenLDAP Admin Guide.
http://www.openldap.org/doc/admin24/tls.html#TLS%20Certificates
>
> The advantage of using a CNAME is I can upgrade the system and to a
> simple CNAME change to replace the servers....
RFC2830 explicitly forbid clients from talking to a DNS server to verify the
server name. Therefore most clients would be unable to dereference a CNAME.
RFC4513 relaxes this constraint, and permits a client to use secure hostname
services (e.g. DNSSEC), but in practice there's no standard APIs to select or
control these services, so the RFC2830 constraint is still in force - the
hostname provided by the client must be used directly, without any other
mapping, in comparisons to the names in the server certificate. But as already
mentioned, you can include arbitrarily many subjectAltName extensions in the
certificate to provide aliases and domain wildcards.
> Date: Tue, 04 Dec 2007 20:42:25 -0700
> From: Craig White <craigwhite at azapple.com>
> Lastly, you probably can add to both /etc/ldap.conf
> and /etc/openldap/ldap.conf
>
> ssl start_tls
>
> and it should automatically use tls...
No. That's only legal for PADL's pam_ldap and nss_ldap. There is no equivalent
option for OpenLDAP's libldap because that is not a library-level issue, it's
application level. /etc/openldap/ldap.conf is only for library default
settings. There is no configuration file for client tool defaults.
> Date: Tue, 04 Dec 2007 20:05:25 -0800
> From: Satish Chetty <satish at suburbia.org.au>
>> I am trying to do a ldapsearch with ssl enabled....and I get this error,
>
> You can also try ldapsearch that comes with FDS (without -x option)
>
> Also, if you want only encryption and not host identification, use
> 'tls_checkpeer no' in your ldap.conf
That is also only valid for pam_ldap and nss_ldap. In OpenLDAP that's what the
"TLS_REQCERT never" option is for, but in the versions of OpenLDAP that RedHat
ships, that are typically 3-5 years obsolete, that option doesn't quite work
as expected. I.e., the hostname check is performed regardless of the setting
of TLS_REQCERT.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Fedora-directory-users
mailing list