All:
Does anyone know of any known-problems with OpenLDAP server/client-side certificates signed with X509 v3 Extensions?
e.g.,
$ openssl x509 -text -in interface.crt.pem
X509v3 extensions: X509v3 Subject Alternative Name: email:ldap@tld Netscape Cert Type: SSL Server, S/MIME, Object Signing X509v3 Extended Key Usage: TLS Web Server Authentication
With openssl.cnf:
[ v3_req_ext ] subjectAltName=email:copy nsCertType = server, email, objsign nsComment = "OpenSSL Generated Server Certificate" # .2 = Client, .1 = Server #extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.1
This is the way Godaddy rocks out.
Every year I go through suffer through hours of self abnegation trying to re-issue certificates for a dozen F/OSS applications that all have little caveats --- This year I'm writing that shit down >:}
~BAS
--On Friday, February 01, 2008 4:29 PM -0500 "Brian A. Seklecki" lavalamp@spiritual-machines.org wrote:
All:
Does anyone know of any known-problems with OpenLDAP server/client-side certificates signed with X509 v3 Extensions?
You leave out key information --
What version of OpenLDAP are you using?
What underlying SSL software are you using? What version of that software?
Is your distro Debian?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
You leave out key information --
What version of OpenLDAP are you using?
What underlying SSL software are you using? What version of that software?
Is your distro Debian?
Its a platform-independent question. There aren't any vendor-local patches that would effect it -- and major OpenSSL development stopped a while back.
I'm going to test it tonight w/ & w/o extensions.
~BAS
--On Monday, February 04, 2008 12:58 PM -0500 "Brian A. Seklecki" lavalamp@spiritual-machines.org wrote:
Its a platform-independent question. There aren't any vendor-local patches that would effect it -- and major OpenSSL development stopped a while back.
OpenLDAP supports both GnuTLS and OpenSSL. The current Debian stable has a hacked set of libraries. The questions were valid. In any case, I hope for success in your testing.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Mon, 4 Feb 2008, Quanah Gibson-Mount wrote:
--On Monday, February 04, 2008 12:58 PM -0500 "Brian A. Seklecki" lavalamp@spiritual-machines.org wrote:
Its a platform-independent question. There aren't any vendor-local patches that would effect it -- and major OpenSSL development stopped a while back.
OpenLDAP supports both GnuTLS and OpenSSL.
That is true -- but hopefully not too many people are using/depending on GnuTLS. That stuff is is really far out in the cut.
I've already done the hard work of digging through vendor-localized OpenSSL patches (FBSD Ports, Pkgsrc, Portage, DEBs, Fink) for things that would apply globally -- nothing came up, so I dropped the 'Office Space TPS Reports w/ the new Coversheet' bug report cliche and went right to the heart of it (as anyone asking about "X.509v3 certificate signing extensions" likely would be expected to. -- e.g, I was hoping to save you guys the trouble by the inherent directness.
That is to say, if the message had instead inquired: "Has anyone done a recent s/strcpy(3)/strlcpy(3)/g audit?", you can likely infer that I'm 1) Not running GNU/Linux 2) Am Running CVS Trunk 3) Not a PFY.
The current Debian stable has a hacked set of libraries. The questions
Or as my local LUG says "Don't you mean 'Debian Stale'?" -- >:}
were valid. In any case, I hope for success in your testing.
Thank you!
I didn't find any problem using a cert signed with extensions, so either the 1) The problem didn't exist on OpenLDAP and it was instead manifest in some other app (FreeRADIUS maybe?) 2) I imagined the problem in my OpenSSL naivety some time ago 3) The problem was fixed silently. 4) Solar flares. 5) ...
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan
Brian A. Seklecki wrote:
You leave out key information --
What version of OpenLDAP are you using?
What underlying SSL software are you using? What version of that software?
Is your distro Debian?
Its a platform-independent question.
Given the wide variation in revisions of software that various vendors ship, there is no such thing. If you're going to assume that you know more about how this software works than we do, and what information is pertinent to answering a question, you might as well not bother to ask any questions in the first place.
There aren't any vendor-local patches that would effect it -- and major OpenSSL development stopped a while back.
OpenSSL is not necessarily the relevant piece of software here. There's also GNUtls to consider, but we can't say for certain because you have decided in your infinite wisdom that providing relevant details is unnecessary.
On Mon, 4 Feb 2008, Howard Chu wrote:
If you're going to assume that you know more about how this software works than we do, and what information is pertinent to answering a question, you might as well not bother to ask any questions in the first place.
Man ... you are wrapped way too tight for Southern California :)
OpenSSL is not necessarily the relevant piece of software here. There's also GNUtls to consider, but we can't say for certain because you have decided in your infinite wisdom that providing relevant details is unnecessary.
Oh for heavens sakes. Like I'm going to send you "uname -a" output when I'm asking about personal experiences with X.509 certificate / PKI providers?
Relax man ... You keep on like that, people will start to think you're a nun in a monastery (with sand in your couch!). Kootos to Quanah, though, for not treating me like a PYI. Next Christmas we're sending him an $100 bottle of scotch and you a bottle of Johnson & Johnson "No Tears" (*)
~~BAS
(*) That's a Maddox reference. You deserve a bottle of Scotch, too, though.
Brian A. Seklecki wrote:
On Mon, 4 Feb 2008, Howard Chu wrote:
If you're going to assume that you know more about how this software works than we do, and what information is pertinent to answering a question, you might as well not bother to ask any questions in the first place.
Man ... you are wrapped way too tight for Southern California :)
It's been a particularly cold winter...
OpenSSL is not necessarily the relevant piece of software here. There's also GNUtls to consider, but we can't say for certain because you have decided in your infinite wisdom that providing relevant details is unnecessary.
Oh for heavens sakes. Like I'm going to send you "uname -a" output when I'm asking about personal experiences with X.509 certificate / PKI providers?
Your original post didn't ask about PKI providers. You asked:
Does anyone know of any known-problems with OpenLDAP server/client-side certificates signed with X509 v3 Extensions?
And in fact, in the intervening time since you posted the question, a problem was reported: http://www.openldap.org/its/index.cgi/Incoming?id=5361
If you're going to ask a vague question and then change your mind about what you really meant to ask, that's not going to help the conversation much either.
Relax man ... You keep on like that, people will start to think you're a nun in a monastery (with sand in your couch!). Kootos to Quanah, though, for not treating me like a PYI. Next Christmas we're sending him an $100 bottle of scotch and you a bottle of Johnson& Johnson "No Tears" (*)
~~BAS
(*) That's a Maddox reference. You deserve a bottle of Scotch, too, though.
Ah, finally a posting of substance. An Islay is always good. :P
openldap-software@openldap.org
-
Brian A. Seklecki -
Howard Chu -
Quanah Gibson-Mount