[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL EXTERNAL

To: "Norbert Klasen" <norbert.klasen@daasi.de>
Subject: RE: SASL EXTERNAL
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sun, 28 Apr 2002 23:00:29 -0700
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <390376001.1020026467@localhost>

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Norbert Klasen

> --On Freitag, 26. April 2002 09:56 -0700 Howard Chu <hyc@highlandsun.com>
> wrote:
>
> > Please send me a copy of the full debug output, not just the
> TLS messages.
> > There should specifically be a call to ldap_dn2bv() with your
> > certificate's DN being logged in normalized LDAP format. Which
> version of
> > SASL library are you using?
> >
> >> TLS certificate verification: depth: 0, err: 0, subject:
> >> /C=DE/ST=Baden-W\xFCrttemberg/L=T\xFCbingen/O=DAASI International
> >> GmbH/CN=Norbert Klasen/Email=norbert.klasen@daasi.de, issuer:
> >> /C=DE/O=DAASI
> >> International GmbH/OU=DAASI CA/Email=ca@daasi.de
>
> There are two issues with this certificate:
> - It includes an AVA with the pkcs emailAddress attribute, which is not
> defined in OpenLDAP's schema. This can be fixed easily. I suggest the
> following definition be added to core.schema:

The pkcs9 email attribute is already defined in cosine.schema. I have this
included in my test configs so I never noticed a problem here.

> - Secondly it includes two AVAs tagged as TeletexString whose values
> contain Latin-1 characters. These surely fail the UTF8 validity check in
> LDAPDN_rewrite. It seems that all values are taken as being
> UTF8Strings. At
> least, the type field of ASN1_STRING *str in ldap_X509dn2bv is not being
> looked at.

Ah, I was wondering what was going to happen here. As far as I had seen, the
OpenSSL tools were very sloppy with 8-bit DNs so I assumed they would not be
used. (There are frequent emails on the OpenSSL lists asking for help
getting
them to work, so I assume most people can't/don't.)

I have ldap_t61s_to_utf8s() in libldap which can be used to address this
problem, but it still won't produce the intended result for your DN. Your
Latin-1 (ISO 8859-1) xFC (Latin small letter U with diaeresis - u umlaut) is
not correct for the T.61 Teletex definition. In T.61 xFC is the small
Icelandic thorn character.
Basically your DN is improperly constructed; xC8x55 is the correct T.61
sequence for (Latin small letter U with diaeresis - u umlaut).

So, even if ldap_X509dn2bv() was honoring the type field (which I believe it
needs to do) your DN is corrupt and will still be corrupt after UTF8
conversion.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: SASL EXTERNAL
  - From: Norbert Klasen <norbert.klasen@daasi.de>

References:
- RE: SASL EXTERNAL
  - From: Norbert Klasen <norbert.klasen@daasi.de>

Prev by Date: RE: SASL EXTERNAL
Next by Date: Re: Follow-up: Re: Too many tokens?
Index(es):
- Chronological
- Thread