[OPENAM-13984] Upgrade/Install Document need for stricter Hostname Matching for LDAP certificates Created: 15/Nov/18 Updated: 21/Nov/18 Resolved: 16/Nov/18
|Affects Version/s:||188.8.131.52, 6.5.0|
|Fix Version/s:||6.0.0, 6.5.0|
|Reporter:||William Hepler||Assignee:||Cristina Herraz|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||2018.11 - Docs 6.5|
|Support Ticket IDs:|
|Needs QA verification:||
|Are the reproduction steps defined?:||
No (add reasons in the comment)
Multiple reports for when upgrading from 13x to 6 failing with increased security around DNS Name Matching for LDAP connections
We tried the following Java property:com.sun.jndi.ldap.object.disableEndpointIdentification
This didn't seem to change the behavior so doesn't seem valid, appears to be Code change and not underlying Java JDK change.
It's required that the certificate hostname match:
Failures in Configuration store will appear to be :
This is caused by:
Caused by: Connect Error: The LDAP connection has failed because an error occurred during the SSL handshake: java.security.cert.CertificateException: No subject alternative DNS name matching HOSTNAME found.
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching HOSTNAME found.
|Comment by Cristina Herraz [ 16/Nov/18 ]|
As discussed, fixed for 6.5 and 6 for now. If later on there is news that this is required for other versions too, let us know.
|Comment by Cristina Herraz [ 19/Nov/18 ]|
That's a question for Gene Hirayama I don't really know