[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls init def ctx failed: -1 with my cacert signed certs



Jelle de Jong wrote:
On 24/07/09 18:22, Dieter Kluenter wrote:
Jelle de Jong<jelledejong@powercraft.nl>   writes:

Brian A. Seklecki wrote:
On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
Hello everybody,
[...]
Hi BAS, thank you for helping, I gathered some more information I hope
it can help to see what is going on, I can't make anything from the
debug output of the openldap server

http://debian.pastebin.com/m56aaee1e

The powercraft/nl-certificate is misssing the X509v3 Authority Key
Identifier

-Dieter


So that was an answer I was not expecting :D. So I contacted the
CACert.org people that are my root authority for my certs, and they
indeed do not support X509v3. I am creating a feature bug for this at
there bugtracker, however isn't there a way for openldap to not use the
X509v3 extensions?

Pretty sure the extensions are not required. However, X.509v1 certs are more easily spoofed. At any rate, when linked with OpenSSL you should be able to use any type of cert. Since you're on debian, and probably using GnuTLS, I'm not so sure. GnuTLS is still mostly unreliable, in my experience.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/