Emmanuel BILLOT wrote:> Hi,
>
> During our many tests, we''ve seen a particular behaviour in certs
> checking, so wewander if it is not as misconfiguration of our server :
>
> We have installed 2 FDS and replication agrements between it. Those
> replication agrement are configurated with the "SSL connection"
option
> enable, "simple authentification" and a replication manager.
> A certificate have been generated for each server, using is FQDN.
> Replication is ok.
> However, we ''ve made a mistake in a tests, and one cert was
generated
> with DNS hostname different from the server it was destinated for and
> replication is still working...
>
> How is it possible ? Is there any hostname controle in the SSL
> connection ?
I''m not sure how it''s possible. Yes, by default the hostname
is
checked. This is controlled by the attribute nsslapd-ssl-check-hostname
in cn=config. By default this is "on".>
> Ex: toutou.gaia.net (with cert signed toutou.gaia.intranet.net) is
> replicating with gri.gaia.net (with cert signed gri.gaia.net)
>
> BR,
>