On Mon, 4 Feb 2008, Quanah Gibson-Mount wrote:
--On Monday, February 04, 2008 12:58 PM -0500 "Brian A. Seklecki" lavalamp@spiritual-machines.org wrote:
Its a platform-independent question. There aren't any vendor-local patches that would effect it -- and major OpenSSL development stopped a while back.
OpenLDAP supports both GnuTLS and OpenSSL.
That is true -- but hopefully not too many people are using/depending on GnuTLS. That stuff is is really far out in the cut.
I've already done the hard work of digging through vendor-localized OpenSSL patches (FBSD Ports, Pkgsrc, Portage, DEBs, Fink) for things that would apply globally -- nothing came up, so I dropped the 'Office Space TPS Reports w/ the new Coversheet' bug report cliche and went right to the heart of it (as anyone asking about "X.509v3 certificate signing extensions" likely would be expected to. -- e.g, I was hoping to save you guys the trouble by the inherent directness.
That is to say, if the message had instead inquired: "Has anyone done a recent s/strcpy(3)/strlcpy(3)/g audit?", you can likely infer that I'm 1) Not running GNU/Linux 2) Am Running CVS Trunk 3) Not a PFY.
The current Debian stable has a hacked set of libraries. The questions
Or as my local LUG says "Don't you mean 'Debian Stale'?" -- >:}
were valid. In any case, I hope for success in your testing.
Thank you!
I didn't find any problem using a cert signed with extensions, so either the 1) The problem didn't exist on OpenLDAP and it was instead manifest in some other app (FreeRADIUS maybe?) 2) I imagined the problem in my OpenSSL naivety some time ago 3) The problem was fixed silently. 4) Solar flares. 5) ...
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan