[Pkg-openldap-devel] Bug#478883: Bug#478883: ldap-utils: ldapsearch -x from sid fail
Matt Kassawara
battery at writeme.com
Mon Jun 8 19:16:43 UTC 2009
Nothing in the certificate contains the hostname of the server
(ldap.fi.trl)... which explains why GnuTLS complains when you test using
gnutls-cli... and probably causes ldapsearch to fail. You should regenerate
your certificate.
- Certificate[0] info:
# The hostname in the certificate does NOT match 'ldap.fi.trl'.
On Mon, Jun 8, 2009 at 12:05 PM, Simone Piccardi <piccardi at truelite.it>wrote:
> Matt Kassawara wrote:
> > The error you got from testing with gnutls-cli says GnuTLS on that
> > particular client probably doesn't like the new certificate. Did you
> > renew the CA, server, or both certificates? Can you provide your new
> > and old certificates? On a side note, I recommend migrating from
> > deprecated LDAPS (port 636) to STARTTLS.
>
> The new one is attached, I resigned my old request with tinyca (this
> operation was made on the sid machine). I did not changed CA or key,
> just the server certificate.
>
> For the old one, sorry, I made a copy, but I also mistakenly overwrote
> it...
>
> I'll look at STARTTLS, but I don't like it so much, I want to be sure
> that unencrypted connection will be always rejected, and I have LDAP
> listening on 389 only from localhost.
>
> Simone
> --
> Simone Piccardi Truelite Srl
> piccardi at truelite.it (email/jabber) Via Monferrato, 6
> Tel. +39-347-1032433 50142 Firenze
> http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-7333336
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20090608/a3c7c8bf/attachment.htm>
More information about the Pkg-openldap-devel
mailing list