Am Tue, 16 Mar 2010 19:45:25 +1000 schrieb "Brett @Google" <[email protected]>:
> Hello, > > Is there any way of supressing the SSL warning/error "TLS: hostname > (XXXXX) does not match common name in certificate" for a syncrepl > client ? > > This error is being returned by a syncrepl client which is > negotiating SSL talking to a syncrepl server by using it's (actual / > real) server name, but as the server name returns a certificate based > on its (external / content switch) server name, the ssl library on > the client waits for a randomly long time, and then returns the error > above as the cert returned does not exactly match the hostname > configured in the provider="" line, in the syncrepl client > configuration. > > If it's indeed a warning, then the sycrepl client should ignore it, > but it does not, so effectively it is an error as it causes the > syncrepl client to abort it's connection. > > A hack might be to add the "external" name to /etc/hosts on each > syncrepl client with the correct ip for each syncrepl server, but was > hoping for something better. You may either configure syncrepl with 'tls_reqcert=never, which would not be a wise decission, or add a subjectAltName value to the host certificate. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
