[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls init def ctx failed: -1 with my cacert signed certs



Dieter Kluenter wrote:
> Howard Chu <hyc@symas.com> writes:
> 
>> Jelle de Jong wrote:
>>> On 24/07/09 18:22, Dieter Kluenter wrote:
>>>> Jelle de Jong<jelledejong@powercraft.nl>   writes:
>>>>
>>>>> Brian A. Seklecki wrote:
>>>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>>>>> Hello everybody,
>>>> [...]
>>>>> Hi BAS, thank you for helping, I gathered some more information I hope
>>>>> it can help to see what is going on, I can't make anything from the
>>>>> debug output of the openldap server
>>>>>
>>>>> http://debian.pastebin.com/m56aaee1e
>>>> The powercraft/nl-certificate is misssing the X509v3 Authority Key
>>>> Identifier
> 
>>> So that was an answer I was not expecting :D. So I contacted the
>>> CACert.org people that are my root authority for my certs, and they
>>> indeed do not support X509v3. I am creating a feature bug for this at
>>> there bugtracker, however isn't there a way for openldap to not use the
>>> X509v3 extensions?
>> Pretty sure the extensions are not required. However, X.509v1 certs
>> are more easily spoofed.

Yupp.

> If a signing keyid is not required, are there other methods to
> describe and verify the certificate chain?

Yes, off course!

RFC 5280, section 4.1.2.4.:

   Certificate users MUST be prepared to process the issuer
   distinguished name and subject distinguished name (Section 4.1.2.6)
   fields to perform name chaining for certification path validation
   (Section 6).

Ciao, Michael.