SSL: wrong/broken in FreeBSD 10.0-CURRENT?

[O. Hartmann]

Sorry for the naiv headline.

I run into massive problems on all of my FreeBSD 10.0-CURRENT driven
boxes. PostgreSQL rejects accessing OpenLDAP via SSL and all clients
accessing the database and autheticating users via a SSL/TLS secured
conection to OpenLDAP refuse working. This includes some very important
facilities like textproc/refdb, databases/pgadmin3, www/mediawiki.

Mor scraing, I tried to generate for a our small network new SSL
certificates. We use since FreeBSD 8.0 small scripts for that task.
Creating a new CA certificate works fine, creating new certificate for
clients including based on the new CA.

Well, what worked half a year before doesn't anymore and I have no clue
what goes wrong.

I created a set of new CA, key and host certificate (self signed, of
course) for OpenLDAP.
Using the CA and key/cert from backup - created with the same conf and
scipts on FBSD 8/9 I use now on FBSD 10, goes "smooth", but fails
starting the OpenLDAP server.
The log output of the server is as follows:

  TLS: could not use key file `/usr/local/etc/openldap/certs/server.key'.
TLS: error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch
/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/x509_cmp.c:406
main: TLS init def ctx failed: -1
slapd stopped.
connections_destroy: nothing to destroy.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd


As far I can dig from the web this error code "TLS: error:0B080074:x509
certificate..." s due to mismatching CN names. But why out of the sudden
should that be wrong?

Did something significantly changed in FreeBSD 10.0-CURRENT these days?

Regards,
Oliver

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20120330/2098ea57/signature.pgp