[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Any problems with X.509v3 Extensions?

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: Any problems with X.509v3 Extensions?
From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
Date: Wed, 13 Feb 2008 00:12:47 -0500 (EST)
Cc: openldap-software@openldap.org
In-reply-to: <671E87FA610E15D313131271@[192.168.1.196]>
References: <20080201162711.H5392@arbitor.digitalfreaks.org> <4F407FBE3573ED790BC7B3FB@[192.168.1.196]> <20080204125702.F61212@arbitor.digitalfreaks.org> <671E87FA610E15D313131271@[192.168.1.196]>

On Mon, 4 Feb 2008, Quanah Gibson-Mount wrote:

--On Monday, February 04, 2008 12:58 PM -0500 "Brian A. Seklecki" <lavalamp@spiritual-machines.org> wrote:
Its a  platform-independent question.  There aren't any vendor-local
patches that would effect it -- and major OpenSSL development stopped a
while back.
OpenLDAP supports both GnuTLS and OpenSSL.

That is true -- but hopefully not too many people are using/depending on GnuTLS. That stuff is is really far out in the cut.

I've already done the hard work of digging through vendor-localized OpenSSL patches (FBSD Ports, Pkgsrc, Portage, DEBs, Fink) for things that would apply globally -- nothing came up, so I dropped the 'Office Space TPS Reports w/ the new Coversheet' bug report cliche and went right to the heart of it (as anyone asking about "X.509v3 certificate signing extensions" likely would be expected to. -- e.g, I was hoping to save you guys the trouble by the inherent directness.

That is to say, if the message had instead inquired: "Has anyone done a recent s/strcpy(3)/strlcpy(3)/g audit?", you can likely infer that I'm 1) Not running GNU/Linux 2) Am Running CVS Trunk 3) Not a PFY.

The current Debian stable has a hacked set of libraries. The questions


Or as my local LUG says "Don't you mean 'Debian Stale'?" -- >:}

were valid. In any case, I hope for success in your testing.


Thank you!

I didn't find any problem using a cert signed with extensions, so either the 1) The problem didn't exist on OpenLDAP and it was instead manifest in some other app (FreeRADIUS maybe?) 2) I imagined the problem in my OpenSSL naivety some time ago 3) The problem was fixed silently. 4) Solar flares. 5) ...

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration


l8*
	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
	       http://www.spiritual-machines.org/

    "Guilty? Yeah. But he knows it. I mean, you're guilty.
    You just don't know it. So who's really in jail?"
    ~Maynard James Keenan

References:
- Any problems with X.509v3 Extensions?
  - From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
- Re: Any problems with X.509v3 Extensions?
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Any problems with X.509v3 Extensions?
  - From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
- Re: Any problems with X.509v3 Extensions?
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: AW: Solaris 10 OpenLDAP server message:
Next by Date: Re: Any problems with X.509v3 Extensions?
Index(es):
- Chronological
- Thread