[Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
Quanah Gibson-Mount
quanah at zimbra.com
Tue Jan 29 20:29:39 UTC 2008
--On Tuesday, January 29, 2008 12:09 PM -0800 Steve Langasek
<vorlon at debian.org> wrote:
> On Tue, Jan 29, 2008 at 08:27:03PM +0100, T.A. van Roermund wrote:
>> Steve Langasek wrote:
>> > Well, I can reproduce the problem when using this value for
>> > TLSCipherSuite. But why would you set this value, rather than leaving
>> > TLSCipherSuite blank to use the default? I don't see the point of
>> > listing *all* the cipher types if you don't intend to exclude some of
>> > them.
>
>> If I leave it blank, it still doesn't work. The behaviour is then
>> exactly equal to the current situation.
>
> Ok. Does your certificate have a proper cn, matching the fqdn of your
> server? That's the only other case where I can reproduce the described
> behavior, but I don't know if that's a behavior change relative to the
> OpenSSL version. (I would have hoped that OpenSSL would also refuse to
> negotiate SSL/TLS with a server whose cn doesn't match the hostname being
> connected to, since this subverts the SSL security model.)
OpenLDAP compiled with OpenSSL behaves the same way. i.e, the cn in the
cert must match the servername (or the fields on subjectAltName, etc).
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
More information about the Pkg-openldap-devel
mailing list