[389-users] encryption and load balancing

[Michael Gettes]

no need for wildcard certs… use the Subject Alt Name.  Works fine.  Been doing it for years.  certutil supports it as well.

/mrg

On May 12, 2014, at 12:08 PM, David Boreham <david_list at boreham.org> wrote:

> 
> On 5/12/2014 9:53 AM, Elizabeth Jones wrote:
>> 
>> Do the certs have to have the server hostnames in them or can I create a
>> cert that has a virtual name and put that on all the LDAP servers?
>> 
> If I understand the scenario : you are using a LB that passes through SSL traffic to the LDAP servers without terminating the SSL sessions (packets come in from clients, and are sent to the LDAP server of choice untouched by the LB). In that case you can deploy a cert on all the LDAP servers with the virtual hostname the client use to make their connections to the LB. The clients will validate the cert presented because its hostname matches the one they used to make the connection.
> 
> However, note that any LDAP client that needs to make a connection to a specific server (bypassing the LB) will now see the "wrong" hostname and hence fail the certificate host name check. (e.g. replication traffic from other servers).
> 
> A wild card host name may be a good solution in this case.
> 
> There may be a way to get the LDAP server to present different certificates depending on the source IP (hence avoiding the need for a wildcard cert), but I don't remember such a feature existing off the top of my head.
> 
> 
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users