TLS: hostname does not match CN in peer certificate
Hello all, I have installed freeradius 2.1.10 on Debian Squeeze and configured to fetch the users on the ldap server. The access to the ldap server is secured with ssl (not TLS!), so openladp is listening on port 636. When I try # radtest user "mypassword" localhost 1 testing123 I get the following message: Reply-Message = "TLS: hostname does not match CN in peer certificate" Complete output: Sending Access-Request of id 137 to 127.0.0.1 port 1812 User-Name = "user" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=137, length=73 Reply-Message = "TLS: hostname does not match CN in peer certificate" That's correct, because I'm still in a testing phase and the openldap certificate doesn't match with the openldap hostname. But I need to fetch the data... What can I change to get it working? Is the only way to generate new certificate files? Thanks! Regards, Ivan
Ivan De Masi wrote:
The access to the ldap server is secured with ssl (not TLS!), so openladp is listening on port 636.
When I try
# radtest user "mypassword" localhost 1 testing123
I get the following message:
Reply-Message = "TLS: hostname does not match CN in peer certificate"
That message does not exist in the default configuration. Someone added it to the local configuration.
Complete output:
Sending Access-Request of id 137 to 127.0.0.1 port 1812 User-Name = "user" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1
Uh... no. You are aware that the "radclient" program is not the radius server? Read the output of "radiusd -X". This is mentioned in the FAQ, Wiki, web site, "man" page, and daily on this list.
That's correct, because I'm still in a testing phase and the openldap certificate doesn't match with the openldap hostname. But I need to fetch the data... What can I change to get it working? Is the only way to generate new certificate files?
I have no idea what you're doing, so I can't answer that question. Alan DeKok.
Am 15.06.2012 14:32, schrieb Alan DeKok:
Ivan De Masi wrote:
The access to the ldap server is secured with ssl (not TLS!), so openladp is listening on port 636.
When I try
# radtest user "mypassword" localhost 1 testing123
I get the following message:
Reply-Message = "TLS: hostname does not match CN in peer certificate"
That message does not exist in the default configuration.
Someone added it to the local configuration.
Complete output:
Sending Access-Request of id 137 to 127.0.0.1 port 1812 User-Name = "user" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1
Uh... no. You are aware that the "radclient" program is not the radius server?
Read the output of "radiusd -X". This is mentioned in the FAQ, Wiki, web site, "man" page, and daily on this list.
That's correct, because I'm still in a testing phase and the openldap certificate doesn't match with the openldap hostname. But I need to fetch the data... What can I change to get it working? Is the only way to generate new certificate files?
I have no idea what you're doing, so I can't answer that question.
Alan DeKok.
Hi, that's what I found in a howto when testing the config... :-) "radiusd -X" doesn't seem to work on Debian (?!) Regards, Ivan -- AStA TU Darmstadt IT-Administration Raum S1|03 63 Hochschulstr. 1 64289 Darmstadt Tel. +49-6151-162217 Fax. +49-6151-166026
Set the hostname in the ldap conf to match what is in the certificate. You may need to create an entry in /etc/hosts to match. You may be able to get around the mismatch by creating an ldaprc file and setting the parameter that controls the hostname checking to none. On Jun 15, 2012 10:12 PM, "Ivan De Masi" <it-support@asta.tu-darmstadt.de> wrote:
Hello all,
I have installed freeradius 2.1.10 on Debian Squeeze and configured to
fetch the users on the ldap server.
The access to the ldap server is secured with ssl (not TLS!), so openladp
is listening on port 636.
When I try
# radtest user "mypassword" localhost 1 testing123
I get the following message:
Reply-Message = "TLS: hostname does not match CN in peer certificate"
Complete output:
Sending Access-Request of id 137 to 127.0.0.1 port 1812 User-Name = "user" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=137,
length=73
Reply-Message = "TLS: hostname does not match CN in peer certificate"
That's correct, because I'm still in a testing phase and the openldap certificate doesn't match with the openldap hostname. But I need to fetch the data... What can I change to get it working? Is the only way to generate new certificate files?
Thanks!
Regards, Ivan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 16.06.2012 00:04, schrieb Frank Ranner:
Set the hostname in the ldap conf to match what is in the certificate. You may need to create an entry in /etc/hosts to match. You may be able to get around the mismatch by creating an ldaprc file and setting the parameter that controls the hostname checking to none.
OK, thanks for the hints. I'll give it a try and report. And if there is no other way at all, I'll generate the future certificates for the host. Regards, Ivan
participants (3)
-
Alan DeKok -
Frank Ranner -
Ivan De Masi