Re: Using Arbitrary X509 certificates for LDAPS authentication

Michael Ströder wrote: > Howard Chu wrote: >> Stephen Cartwright wrote: >>> I looked into this and I don't understand :( Would you please clarify >>> why a DN such as "/C=CA/O=Grid/CN=host/somehost.somedomain.ca" is >>> broken? You said "somehost.somedomain.ca" is not a valid RDN because >>> it just has a value and not a type, however the RDN is not just >>> "somehost.somedomain.ca" but "CN=host/somehost.somedomain.ca" which >>> has a type of "CN" and a value of "host/somehost.somedomain.ca" does >>> it not? >> >> That wasn't clear to me from the output you posted before. Since you >> were posting a DN that uses '/' as its RDN separator, the software that >> generated this log output should have escaped the '/' in the attribute >> value if that was really the situation. E.g., it should have looked like >> /CN=host%2Fsomehost.somedomain.ca. > > Using top-down-order and / as separator is the standard behaviour of > OpenSSL. > :-/ Right, there's nothing wrong with that, it's a well-established practice with a long history. But what's wrong is that when you use '/' as a separator, then you must escape it when it appears in a value.