[Date Prev][Date Next]
Re: tls init def ctx failed: -1 with my cacert signed certs
Dieter Kluenter wrote:
> Howard Chu <firstname.lastname@example.org> writes:
>> Jelle de Jong wrote:
>>> On 24/07/09 18:22, Dieter Kluenter wrote:
>>>> Jelle de Jong<email@example.com> writes:
>>>>> Brian A. Seklecki wrote:
>>>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>>>>> Hello everybody,
>>>>> Hi BAS, thank you for helping, I gathered some more information I hope
>>>>> it can help to see what is going on, I can't make anything from the
>>>>> debug output of the openldap server
>>>> The powercraft/nl-certificate is misssing the X509v3 Authority Key
>>> So that was an answer I was not expecting :D. So I contacted the
>>> CACert.org people that are my root authority for my certs, and they
>>> indeed do not support X509v3. I am creating a feature bug for this at
>>> there bugtracker, however isn't there a way for openldap to not use the
>>> X509v3 extensions?
>> Pretty sure the extensions are not required. However, X.509v1 certs
>> are more easily spoofed.
> If a signing keyid is not required, are there other methods to
> describe and verify the certificate chain?
Yes, off course!
RFC 5280, section 220.127.116.11.:
Certificate users MUST be prepared to process the issuer
distinguished name and subject distinguished name (Section 18.104.22.168)
fields to perform name chaining for certification path validation