[Fedora-directory-users] Re: Hostname does not match CN
George Holbert
gholbert at broadcom.com
Wed Apr 5 19:51:37 UTC 2006
> Someone should file a bug report with Sun then, since LDAP RFC2830
> defines support for subjectAltName and not for wildcard certs. The
> LDAPbis specifications will be pretty much the same here. I.e., Sun's
> LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries,
> which are fully LDAPv3 compliant.
I think 2830 does mention wildcards as acceptable, but I would prefer to
use subjectAltNames if possible. So I agree it would be great if Sun
would add this support to their Solaris LDAP name service client. I
believe part of the problem is that the Solaris client uses a fairly
ancient version of the NSS toolkit (although Sun DS, like Fedora DS,
uses a much more recent version).
Howard Chu wrote:
>
>> Date: Tue, 04 Apr 2006 11:30:30 -0700
>> From: "George Holbert" <gholbert at broadcom.com>
>>
>>
>>> Does Directory Server support the subjectAltName extension on SSL
>>> certs?
>>>
>>
>> Yes, the NSS toolkit which Directory Server uses can handle these certs.
>>
>> The next question is, do your SSL-enabled LDAP clients support these
>> certs?
>> I need to support both Solaris and RedHat Linux LDAP name service
>> clients (i.e., passwd, group, automount, etc.). I've found that:
>> - Solaris clients can handle wildcard certs. RHEL 3 clients can't.
>> - RHEL 3 clients can handle subjectAltName certs. Solaris clients
>> can't.
>>
>> So, while the server can present either of these cert types, your
>> clients' limitations will also influence how you sign your certs.
>>
>>
> Someone should file a bug report with Sun then, since LDAP RFC2830
> defines support for subjectAltName and not for wildcard certs. The
> LDAPbis specifications will be pretty much the same here. I.e., Sun's
> LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries,
> which are fully LDAPv3 compliant.
>
More information about the Fedora-directory-users
mailing list