Discussion:
TLS: hostname does not match CN in peer certificate
Ivan De Masi
2012-06-15 12:09:37 UTC
Permalink
Hello all,

I have installed freeradius 2.1.10 on Debian Squeeze and configured to
fetch the users on the ldap server.

The access to the ldap server is secured with ssl (not TLS!), so
openladp is listening on port 636.

When I try

# radtest user "mypassword" localhost 1 testing123

I get the following message:

Reply-Message = "TLS: hostname does not match CN in peer certificate"

Complete output:

Sending Access-Request of id 137 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1


rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=137,
length=73
Reply-Message = "TLS: hostname does not match CN in peer certificate"

That's correct, because I'm still in a testing phase and the openldap
certificate doesn't match with the openldap hostname. But I need to
fetch the data...
What can I change to get it working? Is the only way to generate new
certificate files?

Thanks!

Regards,
Ivan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2012-06-15 12:32:06 UTC
Permalink
Post by Ivan De Masi
The access to the ldap server is secured with ssl (not TLS!), so
openladp is listening on port 636.
When I try
# radtest user "mypassword" localhost 1 testing123
Reply-Message = "TLS: hostname does not match CN in peer certificate"
That message does not exist in the default configuration.

Someone added it to the local configuration.
Post by Ivan De Masi
Sending Access-Request of id 137 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
Uh... no. You are aware that the "radclient" program is not the
radius server?

Read the output of "radiusd -X". This is mentioned in the FAQ, Wiki,
web site, "man" page, and daily on this list.
Post by Ivan De Masi
That's correct, because I'm still in a testing phase and the openldap
certificate doesn't match with the openldap hostname. But I need to
fetch the data...
What can I change to get it working? Is the only way to generate new
certificate files?
I have no idea what you're doing, so I can't answer that question.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan De Masi
2012-06-18 13:54:13 UTC
Permalink
Post by Alan DeKok
Post by Ivan De Masi
The access to the ldap server is secured with ssl (not TLS!), so
openladp is listening on port 636.
When I try
# radtest user "mypassword" localhost 1 testing123
Reply-Message = "TLS: hostname does not match CN in peer certificate"
That message does not exist in the default configuration.
Someone added it to the local configuration.
Post by Ivan De Masi
Sending Access-Request of id 137 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
Uh... no. You are aware that the "radclient" program is not the
radius server?
Read the output of "radiusd -X". This is mentioned in the FAQ, Wiki,
web site, "man" page, and daily on this list.
Post by Ivan De Masi
That's correct, because I'm still in a testing phase and the openldap
certificate doesn't match with the openldap hostname. But I need to
fetch the data...
What can I change to get it working? Is the only way to generate new
certificate files?
I have no idea what you're doing, so I can't answer that question.
Alan DeKok.
Hi,

that's what I found in a howto when testing the config... :-)

"radiusd -X" doesn't seem to work on Debian (?!)

Regards,
Ivan
--
AStA TU Darmstadt
IT-Administration
Raum S1|03 63
Hochschulstr. 1
64289 Darmstadt

Tel. +49-6151-162217
Fax. +49-6151-166026


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frank Ranner
2012-06-15 22:04:40 UTC
Permalink
Set the hostname in the ldap conf to match what is in the certificate. You
may need to create an entry in /etc/hosts to match. You may be able to get
around the mismatch by creating an ldaprc file and setting the parameter
that controls the hostname checking to none.
Post by Ivan De Masi
Hello all,
I have installed freeradius 2.1.10 on Debian Squeeze and configured to
fetch the users on the ldap server.
Post by Ivan De Masi
The access to the ldap server is secured with ssl (not TLS!), so openladp
is listening on port 636.
Post by Ivan De Masi
When I try
# radtest user "mypassword" localhost 1 testing123
Reply-Message = "TLS: hostname does not match CN in peer certificate"
Sending Access-Request of id 137 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=137,
length=73
Post by Ivan De Masi
Reply-Message = "TLS: hostname does not match CN in peer certificate"
That's correct, because I'm still in a testing phase and the openldap
certificate doesn't match with the openldap hostname. But I need to fetch
the data...
Post by Ivan De Masi
What can I change to get it working? Is the only way to generate new
certificate files?
Post by Ivan De Masi
Thanks!
Regards,
Ivan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Ivan De Masi
2012-06-18 13:50:56 UTC
Permalink
Post by Frank Ranner
Set the hostname in the ldap conf to match what is in the certificate.
You may need to create an entry in /etc/hosts to match. You may be able
to get around the mismatch by creating an ldaprc file and setting the
parameter that controls the hostname checking to none.
OK, thanks for the hints. I'll give it a try and report.

And if there is no other way at all, I'll generate the future
certificates for the host.

Regards,
Ivan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...