[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls init def ctx failed: -1 with my cacert signed certs

On Friday 24 July 2009 14:43:20 Jelle de Jong wrote:
> On 24/07/09 18:22, Dieter Kluenter wrote:
> > Jelle de Jong<jelledejong@powercraft.nl>  writes:
> >> Brian A. Seklecki wrote:
> >>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
> >>>> Hello everybody,
> >
> > [...]
> >
> >> Hi BAS, thank you for helping, I gathered some more information I hope
> >> it can help to see what is going on, I can't make anything from the
> >> debug output of the openldap server
> >>
> >> http://debian.pastebin.com/m56aaee1e
> >
> > The powercraft/nl-certificate is misssing the X509v3 Authority Key
> > Identifier
> >
> > -Dieter
> So that was an answer I was not expecting :D. So I contacted the
> CACert.org people that are my root authority for my certs, and they
> indeed do not support X509v3. I am creating a feature bug for this at
> there bugtracker, however isn't there a way for openldap to not use the
> X509v3 extensions?

Oh, really? Since when is that? I have a bunch of certs from CACert.org which 
have all kinds of extensions like EKU, Netscape comment and so on and are 
therefore X509v3 certs. So, the statement that they "don't support X509v3" is 
obviously wrong. They might not support the AKI extension which is surprising 
as this extension is rather trivial to add.

What is the difference between a Turing machine and the modern
computer?  It's the same as that between Hillary's ascent of Everest
and the establishment of a Hilton on its peak.