8:24 a.m.
Brian A. Seklecki wrote:
On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
> Hello everybody,
>
> This is my first post to this list so thank you for making and
> supporting openldap and be gentle on me :)
>
> I have a server that has cacert.org signed certificats, I use them for
> apache
Does:
/usr/share/ca-certificates/cacert.org/root.crt
Have an entire concatenated CA Chain? Are there intermediate certs?
try:
$ openssl x509 -text -in /usr/share/ca-certificates/cacert.org/root.crt
~BAS
> https, postfix and dovecot. Now I am trying to use them to get a
> secure only access to openldap. I am still a bit new to openldap but I
> get this output:
>
> http://debian.pastebin.com/m449836db
>
> What is going on?
>
Hi BAS, thank you for helping, I gathered some more information I hope
it can help to see what is going on, I can't make anything from the
debug output of the openldap server
http://debian.pastebin.com/m56aaee1e
Thanks in advance,
Jelle
9:22 a.m.
New subject: tls init def ctx failed: -1 with my cacert signed certs
Jelle de Jong <jelledejong(a)powercraft.nl> writes:
Brian A. Seklecki wrote:
> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>> Hello everybody,
[...]
Hi BAS, thank you for helping, I gathered some more information I
hope
it can help to see what is going on, I can't make anything from the
debug output of the openldap server
http://debian.pastebin.com/m56aaee1e
The powercraft/nl-certificate is misssing the X509v3 Authority Key
Identifier
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
11:43 a.m.
New subject: tls init def ctx failed: -1 with my cacert signed certs
On 24/07/09 18:22, Dieter Kluenter wrote:
Jelle de Jong<jelledejong(a)powercraft.nl> writes:
> Brian A. Seklecki wrote:
>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>> Hello everybody,
[...]
> Hi BAS, thank you for helping, I gathered some more information I hope
> it can help to see what is going on, I can't make anything from the
> debug output of the openldap server
>
> http://debian.pastebin.com/m56aaee1e
The powercraft/nl-certificate is misssing the X509v3 Authority Key
Identifier
-Dieter
So that was an answer I was not expecting :D. So I contacted the
CACert.org people that are my root authority for my certs, and they
indeed do not support X509v3. I am creating a feature bug for this at
there bugtracker, however isn't there a way for openldap to not use the
X509v3 extensions?
Thanks in advance,
Jelle
1:22 p.m.
New subject: tls init def ctx failed: -1 with my cacert signed certs
On Friday 24 July 2009 14:43:20 Jelle de Jong wrote:
On 24/07/09 18:22, Dieter Kluenter wrote:
> Jelle de Jong<jelledejong(a)powercraft.nl> writes:
>> Brian A. Seklecki wrote:
>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>> Hello everybody,
>
> [...]
>
>> Hi BAS, thank you for helping, I gathered some more information I hope
>> it can help to see what is going on, I can't make anything from the
>> debug output of the openldap server
>>
>> http://debian.pastebin.com/m56aaee1e
>
> The powercraft/nl-certificate is misssing the X509v3 Authority Key
> Identifier
>
> -Dieter
So that was an answer I was not expecting :D. So I contacted the
CACert.org people that are my root authority for my certs, and they
indeed do not support X509v3. I am creating a feature bug for this at
there bugtracker, however isn't there a way for openldap to not use the
X509v3 extensions?
Oh, really? Since when is that? I have a bunch of certs from CACert.org which
have all kinds of extensions like EKU, Netscape comment and so on and are
therefore X509v3 certs. So, the statement that they "don't support X509v3"
is
obviously wrong. They might not support the AKI extension which is surprising
as this extension is rather trivial to add.
Karsten.
--
What is the difference between a Turing machine and the modern
computer? It's the same as that between Hillary's ascent of Everest
and the establishment of a Hilton on its peak.
4:23 a.m.
New subject: tls init def ctx failed: -1 with my cacert signed certs
Karsten Künne wrote:
They might not support the AKI extension which is surprising
as this extension is rather trivial to add.
Well, they should add it to be compliant with PKIX cert profile.
RFC 5280, section 4.2.1.1.:
The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one exception;
where a CA distributes its public key in the form of a "self-signed"
certificate, the authority key identifier MAY be omitted.
Ciao, Michael.
1:32 p.m.
New subject: tls init def ctx failed: -1 with my cacert signed certs
Jelle de Jong wrote:
On 24/07/09 18:22, Dieter Kluenter wrote:
> Jelle de Jong<jelledejong(a)powercraft.nl> writes:
>
>> Brian A. Seklecki wrote:
>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>> Hello everybody,
> [...]
>> Hi BAS, thank you for helping, I gathered some more information I hope
>> it can help to see what is going on, I can't make anything from the
>> debug output of the openldap server
>>
>> http://debian.pastebin.com/m56aaee1e
>
> The powercraft/nl-certificate is misssing the X509v3 Authority Key
> Identifier
>
> -Dieter
So that was an answer I was not expecting :D. So I contacted the
CACert.org people that are my root authority for my certs, and they
indeed do not support X509v3. I am creating a feature bug for this at
there bugtracker, however isn't there a way for openldap to not use the
X509v3 extensions?
Pretty sure the extensions are not required. However, X.509v1 certs are more
easily spoofed. At any rate, when linked with OpenSSL you should be able to
use any type of cert. Since you're on debian, and probably using GnuTLS, I'm
not so sure. GnuTLS is still mostly unreliable, in my experience.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1:16 a.m.
New subject: tls init def ctx failed: -1 with my cacert signed certs
Howard Chu <hyc(a)symas.com> writes:
Jelle de Jong wrote:
> On 24/07/09 18:22, Dieter Kluenter wrote:
>> Jelle de Jong<jelledejong(a)powercraft.nl> writes:
>>
>>> Brian A. Seklecki wrote:
>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>>> Hello everybody,
>> [...]
>>> Hi BAS, thank you for helping, I gathered some more information I hope
>>> it can help to see what is going on, I can't make anything from the
>>> debug output of the openldap server
>>>
>>> http://debian.pastebin.com/m56aaee1e
>>
>> The powercraft/nl-certificate is misssing the X509v3 Authority Key
>> Identifier
>
> So that was an answer I was not expecting :D. So I contacted the
> CACert.org people that are my root authority for my certs, and they
> indeed do not support X509v3. I am creating a feature bug for this at
> there bugtracker, however isn't there a way for openldap to not use the
> X509v3 extensions?
Pretty sure the extensions are not required. However, X.509v1 certs
are more easily spoofed. At any rate, when linked with OpenSSL you
should be able to use any type of cert. Since you're on debian, and
probably using GnuTLS, I'm not so sure. GnuTLS is still mostly
unreliable, in my experience.
If a signing keyid is not required, are there other methods to
describe and verify the certificate chain?
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
4:21 a.m.
New subject: tls init def ctx failed: -1 with my cacert signed certs
Dieter Kluenter wrote:
Howard Chu <hyc(a)symas.com> writes:
> Jelle de Jong wrote:
>> On 24/07/09 18:22, Dieter Kluenter wrote:
>>> Jelle de Jong<jelledejong(a)powercraft.nl> writes:
>>>
>>>> Brian A. Seklecki wrote:
>>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>>>> Hello everybody,
>>> [...]
>>>> Hi BAS, thank you for helping, I gathered some more information I hope
>>>> it can help to see what is going on, I can't make anything from the
>>>> debug output of the openldap server
>>>>
>>>> http://debian.pastebin.com/m56aaee1e
>>> The powercraft/nl-certificate is misssing the X509v3 Authority Key
>>> Identifier
>> So that was an answer I was not expecting :D. So I contacted the
>> CACert.org people that are my root authority for my certs, and they
>> indeed do not support X509v3. I am creating a feature bug for this at
>> there bugtracker, however isn't there a way for openldap to not use the
>> X509v3 extensions?
> Pretty sure the extensions are not required. However, X.509v1 certs
> are more easily spoofed.
Yupp.
If a signing keyid is not required, are there other methods to
describe and verify the certificate chain?
Yes, off course!
RFC 5280, section 4.1.2.4.:
Certificate users MUST be prepared to process the issuer
distinguished name and subject distinguished name (Section 4.1.2.6)
fields to perform name chaining for certification path validation
(Section 6).
Ciao, Michael.
5179
days inactive
5180
days old
openldap-software@openldap.org
7 comments
5 participants
participants (5)
-
Dieter Kluenter -
Howard Chu -
Jelle de Jong -
Karsten Künne -
Michael Ströder