[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls init def ctx failed: -1 with my cacert signed certs

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: tls init def ctx failed: -1 with my cacert signed certs
From: Michael Ströder <michael@stroeder.com>
Date: Sat, 25 Jul 2009 13:21:01 +0200
Cc: openldap-software@openldap.org
In-reply-to: <87ocr9fa92.fsf@rubin.avci.de>
References: <4A69B31A.80501@powercraft.nl> <1248447463.24024.1091.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <4A69D229.4090101@powercraft.nl> <878wieyrsz.fsf@rubin.avci.de> <4A6A00C8.6080907@powercraft.nl> <4A6A1A48.9050600@symas.com> <87ocr9fa92.fsf@rubin.avci.de>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17

Dieter Kluenter wrote:
> Howard Chu <hyc@symas.com> writes:
> 
>> Jelle de Jong wrote:
>>> On 24/07/09 18:22, Dieter Kluenter wrote:
>>>> Jelle de Jong<jelledejong@powercraft.nl>   writes:
>>>>
>>>>> Brian A. Seklecki wrote:
>>>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>>>>> Hello everybody,
>>>> [...]
>>>>> Hi BAS, thank you for helping, I gathered some more information I hope
>>>>> it can help to see what is going on, I can't make anything from the
>>>>> debug output of the openldap server
>>>>>
>>>>> http://debian.pastebin.com/m56aaee1e
>>>> The powercraft/nl-certificate is misssing the X509v3 Authority Key
>>>> Identifier
> 
>>> So that was an answer I was not expecting :D. So I contacted the
>>> CACert.org people that are my root authority for my certs, and they
>>> indeed do not support X509v3. I am creating a feature bug for this at
>>> there bugtracker, however isn't there a way for openldap to not use the
>>> X509v3 extensions?
>> Pretty sure the extensions are not required. However, X.509v1 certs
>> are more easily spoofed.

Yupp.

> If a signing keyid is not required, are there other methods to
> describe and verify the certificate chain?

Yes, off course!

RFC 5280, section 4.1.2.4.:

   Certificate users MUST be prepared to process the issuer
   distinguished name and subject distinguished name (Section 4.1.2.6)
   fields to perform name chaining for certification path validation
   (Section 6).

Ciao, Michael.

References:
- tls init def ctx failed: -1 with my cacert signed certs
  - From: Jelle de Jong <jelledejong@powercraft.nl>
- Re: tls init def ctx failed: -1 with my cacert signed certs
  - From: Jelle de Jong <jelledejong@powercraft.nl>
- Re: tls init def ctx failed: -1 with my cacert signed certs
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: tls init def ctx failed: -1 with my cacert signed certs
  - From: Jelle de Jong <jelledejong@powercraft.nl>
- Re: tls init def ctx failed: -1 with my cacert signed certs
  - From: Howard Chu <hyc@symas.com>
- Re: tls init def ctx failed: -1 with my cacert signed certs
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: tls init def ctx failed: -1 with my cacert signed certs
Next by Date: Re: tls init def ctx failed: -1 with my cacert signed certs
Index(es):
- Chronological
- Thread