what names for TLS certificates when using SRV records

ssl slapd srv-record

When I'm using a SRV DNS record, what name(s) do I put in the TLS certificate? For example, if I'm setting up slapd on two servers (klas1 and klas2), and I define these DNS records (using bind zone file style notation):

_ldap._tcp.example.com. IN  SRV 10 0 389 klas1.example.com.
_ldap._tcp.example.com. IN  SRV 20 0 389 klas2.example.com.
klas1.example.com.  A 192.168.0.1
klas2.example.com.  A 192.168.0.2

I'd expect my clients would be configured to connect to ldap://example.com/. However when I'm generating TLS certificates on the servers, do I generate them with the name "example.com", or do I generate them with the name "klas1.example.com", or do I need both?


Solution 1:

The certificate must match the hostname, i.e. corresponding A record for the server. You could have individual klas1.example.com & klas2.example.com certificates or shared wildcard *.example.com certificate, but example.com won't match.

The SRV records don't need certificates as they are used only on DNS level for service discovery.

Solution 2:

you only need your host entries (A records), services records are used for discovery not the connection itself.

Solution 3:

The certificate common name or SubjectAltName.DNS should match the name that was originally given in the LDAP uri. RFC6125 in appendix B.3 (https://www.rfc-editor.org/rfc/rfc6125#appendix-B.3) says:

3.6. Server Identity Check

The client MUST check its understanding of the server's hostname
against the server's identity as presented in the server's
Certificate message, in order to prevent man-in-the-middle attacks.

Matching is performed according to these rules:

o The client MUST use the server hostname it used to open the LDAP connection as the value to compare against the server name as expressed in the server's certificate. The client MUST NOT use the server's canonical DNS name or any other derived form of name.

Note that the same logic applies for other protocols that use SRV records, like SIP. This is somewhat logic from a security standpoint. If only the host was checked, it would be easy to perform a man in middle attack by diverting the connection to nodes whose hostnames are unrelated to the domain name originally queried.

Related

Dovecot Sieve does not run?
OpenVPN with a Windows Certificate Services PKI
DRBD experimentation and virtualization
How to disable UPS energy_saving with NUT?
How to upload configuration files using the shell provider?
KVM "live migration finished" detection
SSH Tunnel slow
Network performance in large transfer of data
System Monitoring service - Hosted [closed]
Mod-proxy with query string alternatives?
Multi-Role Domain Controllers for Small Offices (< 50 clients)
"Send As" Permission and "You do not have permission to send to this recipient" Error