[Date Prev][Date Next] [Chronological] [Thread] [Top]


--On Freitag, 26. April 2002 09:56 -0700 Howard Chu <hyc@highlandsun.com> wrote:

Please send me a copy of the full debug output, not just the TLS messages.
There should specifically be a call to ldap_dn2bv() with your
certificate's DN being logged in normalized LDAP format. Which version of
SASL library are you using?

TLS certificate verification: depth: 0, err: 0, subject:
/C=DE/ST=Baden-W\xFCrttemberg/L=T\xFCbingen/O=DAASI International
GmbH/CN=Norbert Klasen/Email=norbert.klasen@daasi.de, issuer:
International GmbH/OU=DAASI CA/Email=ca@daasi.de

There are two issues with this certificate:
- It includes an AVA with the pkcs emailAddress attribute, which is not defined in OpenLDAP's schema. This can be fixed easily. I suggest the following definition be added to core.schema:
# RFC 2459
# -- Legacy attributes
#pkcs9email ATTRIBUTE ::= {
# ID emailAddress }
#PHGString ::= IA5String (SIZE(1..ub-emailaddress-length))
# { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
#emailAddress OBJECT IDENTIFIER ::= { pkcs-9 1 }
#ub-emailaddress-length INTEGER ::= 128

attributetype ( 1.2.840.113549.1.9.1
       NAME 'pkcs9email'
       DESC 'RFC2459: legacy attribute for email addresses in DNs'
       EQUALITY caseIgnoreIA5Match
       SUBSTR caseIgnoreIA5SubstringsMatch
       SYNTAX{128} )

- Secondly it includes two AVAs tagged as TeletexString whose values contain Latin-1 characters. These surely fail the UTF8 validity check in LDAPDN_rewrite. It seems that all values are taken as being UTF8Strings. At least, the type field of ASN1_STRING *str in ldap_X509dn2bv is not being looked at.

Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de