[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls init def ctx failed: -1 with my cacert signed certs



Howard Chu <hyc@symas.com> writes:

> Jelle de Jong wrote:
>> On 24/07/09 18:22, Dieter Kluenter wrote:
>>> Jelle de Jong<jelledejong@powercraft.nl>   writes:
>>>
>>>> Brian A. Seklecki wrote:
>>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>>>> Hello everybody,
>>> [...]
>>>> Hi BAS, thank you for helping, I gathered some more information I hope
>>>> it can help to see what is going on, I can't make anything from the
>>>> debug output of the openldap server
>>>>
>>>> http://debian.pastebin.com/m56aaee1e
>>>
>>> The powercraft/nl-certificate is misssing the X509v3 Authority Key
>>> Identifier

>>
>> So that was an answer I was not expecting :D. So I contacted the
>> CACert.org people that are my root authority for my certs, and they
>> indeed do not support X509v3. I am creating a feature bug for this at
>> there bugtracker, however isn't there a way for openldap to not use the
>> X509v3 extensions?
>
> Pretty sure the extensions are not required. However, X.509v1 certs
> are more easily spoofed. At any rate, when linked with OpenSSL you
> should be able to use any type of cert. Since you're on debian, and
> probably using GnuTLS, I'm not so sure. GnuTLS is still mostly
> unreliable, in my experience.


If a signing keyid is not required, are there other methods to
describe and verify the certificate chain?

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E