[Debian-ha-maintainers] Bug#770349: ldirectord: SSL hostname check failure
Shawn Heisey
debian at elyograg.org
Thu Nov 20 20:49:26 UTC 2014
On 11/20/2014 12:22 PM, Kurt Roeckx wrote:
> This fix is just plain wrong and you might as well stop using
> HTTPS in that case. Please fix the certificate instead. It can
> contain IP addresses just as well as hostnames. It's recommended
> to use the SubjectAltName, but you can put it in the CN too.
The servers are behind the Linux IP virtual server, driven by
ldirectord. When the end user on the Internet makes their connection,
the certificate is completely correct, but when ldirectord makes its
health check, it's wrong. For the health checks, I don't really care
that the cert doesn't validate. For the end user, I absolutely want the
cert to validate.
Unless you're using StartSSL, certificates with multiple names (subject
alternative name) cost quite a bit more than certificates with one name
(CN). Lots of people want a CA with greater hardware/software support
than StartSSL offers, so getting a proper certificate to validate health
checks as well as end users can be prohibitively expensive.
I plan to phase out ipvs/ldirectord for another solution, but that may
not be completed for several more months.
More information about the Debian-ha-maintainers
mailing list