Kevin Vargo wrote:

Right; except that in ITS#3113, you explicitly state that back-sql should refuse binary data,

I said that no ";binary" should be used. That's different from refusing binary data, don't you agree?

p.

don't you? Granted, that was a while back, however, I've not found mention of where that directive has been obsoleted. As well the retrieval errors are consistent with invalid binary->text conversion upon selection out of the database.

Namely, error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

So, how do I (a) tell Back-SQL that the data is binary or (b) do something else.

You don't need to tell back-sql if data is binary or not: it already knows how to deal with data based on their syntax. You need to tell the RDBMS that its' storing binary data, and store the certificate in the RDBMS as binary. If you store the certificate in base64, then back-sql (actually, the certificate's validator, back-sql yous passes octet strings around) doesn't know what to do with it.

Note that this is the OpenSSL invoked by the X.509 validator (assuming TLS was turned on), even though the certificate in question is not being used for TLS. However, the normalization still fails, even (as mentioned) if validation is disabled. I'm assuming the normalization failure would be related, although I haven't gotten there yet.

TLS has nothing to do with this. OpenLDAP just needs to be compiled with ssl to have certificate handling routines around.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------