[Fedora-directory-users] Re: Hostname does not match CN
Howard Chu
hyc at symas.com
Wed Apr 5 19:34:12 UTC 2006
> Date: Tue, 04 Apr 2006 11:30:30 -0700
> From: "George Holbert" <gholbert at broadcom.com>
>
>
>> Does Directory Server support the subjectAltName extension on SSL certs?
>>
>>
>
> Yes, the NSS toolkit which Directory Server uses can handle these certs.
>
> The next question is, do your SSL-enabled LDAP clients support these certs?
> I need to support both Solaris and RedHat Linux LDAP name service
> clients (i.e., passwd, group, automount, etc.). I've found that:
> - Solaris clients can handle wildcard certs. RHEL 3 clients can't.
> - RHEL 3 clients can handle subjectAltName certs. Solaris clients can't.
>
> So, while the server can present either of these cert types, your
> clients' limitations will also influence how you sign your certs.
>
>
Someone should file a bug report with Sun then, since LDAP RFC2830
defines support for subjectAltName and not for wildcard certs. The
LDAPbis specifications will be pretty much the same here. I.e., Sun's
LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries,
which are fully LDAPv3 compliant.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Fedora-directory-users
mailing list