[Fedora-directory-users] SSL replication
Rich Megginson
rmeggins at redhat.com
Wed Mar 11 13:51:22 UTC 2009
Emmanuel BILLOT wrote:
> Hi,
>
> During our many tests, we've seen a particular behaviour in certs
> checking, so wewander if it is not as misconfiguration of our server :
>
> We have installed 2 FDS and replication agrements between it. Those
> replication agrement are configurated with the "SSL connection" option
> enable, "simple authentification" and a replication manager.
> A certificate have been generated for each server, using is FQDN.
> Replication is ok.
> However, we 've made a mistake in a tests, and one cert was generated
> with DNS hostname different from the server it was destinated for and
> replication is still working...
>
> How is it possible ? Is there any hostname controle in the SSL
> connection ?
I'm not sure how it's possible. Yes, by default the hostname is
checked. This is controlled by the attribute nsslapd-ssl-check-hostname
in cn=config. By default this is "on".
>
> Ex: toutou.gaia.net (with cert signed toutou.gaia.intranet.net) is
> replicating with gri.gaia.net (with cert signed gri.gaia.net)
>
> BR,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090311/1d69e888/attachment.bin>
More information about the 389-users
mailing list