LDAP SSL CN validation checks fail to validate wildcard SSL cert names #547
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
We are stuck on Rundeck 1.5 because of the change in issue #455. The code change here does not take into account wildcard SSL certs (*.corp.mydomain.com being used on ldap.corp.mydomain.com) and completely breaks our LDAP login.
Please patch the code to allow for wildcard certs -- OR provide the option to disable SSL cert CN verification entirely.
Caused by: javax.naming.CommunicationException: simple bind failed: ldap.corp.mydomain.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: [ldap.corp.mydomain.com] does not match certificate subject [.corp.mydomain.com]]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:306)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.(InitialContext.java:214)
at javax.naming.directory.InitialDirContext.(InitialDirContext.java:99)
at com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.initialize(JettyCachingLdapLoginModule.java:649)
... 29 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: [ldap.corp.mydomain.com] does not match certificate subject [.corp.mydomain.com]
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1715)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1168)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:963)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1208)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:838)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:94)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at com.sun.jndi.ldap.Connection.run(Connection.java:820)
at java.lang.Thread.run(Thread.java:679)
Caused by: java.security.cert.CertificateException: [ldap.corp.mydomain.com] does not match certificate subject [*.corp.mydomain.com]
at com.dtolabs.rundeck.jetty.jaas.HostnameVerifyingTrustManager.checkServerTrusted(HostnameVerifyingTrustManager.java:61)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1160)
... 12 more
The text was updated successfully, but these errors were encountered: