Open
Description
net-ldap version 0.18.0
LDAP server version: Windows Active Directory (unsure of specific version)
OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
I upgraded from net-ldap v0.17.1 to 0.18.0 to find our Rails app could no longer connect to our LDAP server:
[FATAL] Net::LDAP::ConnectionError (Unable to connect to any given server:
17:45:24 web.1 | OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.162.22:636 state=error: certificate verify failed (Hostname mismatch) (host1.ourdomain.com:636)
17:45:24 web.1 | OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.163.22:636 state=error: certificate verify failed (Hostname mismatch) (host2.ourdomain.com:636)
17:45:24 web.1 | OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.161.22:636 state=error: certificate verify failed (Hostname mismatch) (host3.ourdomain.com:636)):
Our (unchanged) LDAP configuration uses an array of hosts, like this:
hosts: [['host1.ourdomain.com', 636], ['host2.ourdomain.com', 636], ['host3.ourdomain.com', 636]],
connect_timeout: 2,
encryption: {
method: :simple_tls,
tls_options: {
ca_file: '/etc/pki/tls/certs/our-ca-chain.pem',
verify_mode: OpenSSL::SSL::VERIFY_PEER
}
},
Investigation showed the certificate CN of each host did actually match its hostname. It also showed the application was able to connect to each of these hosts when configured directly as a single server:
host: 'host1.ourdomain.com',
port: 636,
Other workarounds I identified:
- Setting
verify_mode=OpenSSL::SSL::VERIFY_NONE, though this is not recommended - Reverting net-ldap to v0.17.1
Metadata
Metadata
Assignees
Labels
No labels