Emmanuel BILLOT wrote: > Hi, > > During our many tests, we've seen a particular behaviour in certs > checking, so wewander if it is not as misconfiguration of our server : > > We have installed 2 FDS and replication agrements between it. Those > replication agrement are configurated with the "SSL connection" option > enable, "simple authentification" and a replication manager. > A certificate have been generated for each server, using is FQDN. > Replication is ok. > However, we 've made a mistake in a tests, and one cert was generated > with DNS hostname different from the server it was destinated for and > replication is still working... > > How is it possible ? Is there any hostname controle in the SSL > connection ? I'm not sure how it's possible. Yes, by default the hostname is checked. This is controlled by the attribute nsslapd-ssl-check-hostname in cn=config. By default this is "on". > > Ex: toutou.gaia.net (with cert signed toutou.gaia.intranet.net) is > replicating with gri.gaia.net (with cert signed gri.gaia.net) > > BR, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090311/1d69e888/attachment.bin
