search cancel

Symantec Directory: post-SP3 upgrade, DXtools over SSL does not work with generic cert

book

Article ID: 242958

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

You may notice the fact that after upgrading Symantec Directory to 14.1.03 version, DXtools over SSL does not work with generic certificate that you have configured, which used to work fine pre-SP3 upgrade.

e.g. running following dxserach command would result in an error and no results returned.

dxsearch -Z -h node_name:port -b "dc=ca,dc=com" "cn=*"

TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (node_name) does not match common name in certificate (generic).
TLS: can't connect: TLS: hostname does not match name in peer certificate.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match name in peer certificate

ldap_err2string
ldap_result: Can't contact LDAP server (-1)
        additional info: TLS: hostname does not match name in peer certificate

 

 

Environment

Release : 14.1

Component : CA Directory

Resolution

The reason for change with DXtools behavior with SSL is due to openLDAP upgrade in 14.1 SP3 (aka 14.1.03).

You may have configured the $DXHOME/config/ssld/dxldap.conf file as noted below which worked pre-SP3 upgrade.

TLS_CACERT  /opt/CA/Directory/dxserver/config/ssld/trusted.pem
# TLS_REQCERT never

Resolution is to uncomment the TLS_REQCERT line so now the file looks like:

TLS_CACERT  /opt/CA/Directory/dxserver/config/ssld/trusted.pem
TLS_REQCERT never

After that change, DXtools over SSL should work fine.