rhelv5-list-boun...@redhat.com ? zapisano w dniu 2012-02-03 17:21:50: > Od: > > Vu Pham <v...@sivell.com> > > Do: > > Brian Seklecki <bsekle...@fedex.com> > > DW: > > "Red Hat Enterprise Linux 5 \(Tikanga\)discussion mailing-list" > <rhelv5-list@redhat.com> > [....] > Hi Brian, thanks for your reply. > > I may be wrong, but the problem here, I think, is not that wget cannot > get the certificate and/or the CA file, but it does not get the SAN name
> to compare with the host name when the CN name does not match. > > In these tests, wget points to the same server with different DNS names. > For the DNS name that matches the CN, wget does not complain about the > cert/CA files. For the other name that matches the SAN name, wget stops > with errors. > > Thanks, > Vu > That's kind of basic SSL functionality - to warn you or deny access if servers DNS name does not match the CN in certificate ;) So SSL connection may not continue when: 1. CA is unknown and cannot be verified, 2. Certificates CN field (Common Name) doesn't match the DNS name of server, 3. Servers SSL certificate is too old or is on a CRL list. 4. and as usual other SSL implementation problems ;) Try connecting to HTTPS website with web browser and get the certificate. See if it's valid and the CN coresponds with DNS name. You must connnect to dns name (not IP adress - it won't work). I would start with that. Krzysztof
_______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
