Skip to Content.
Sympa Menu

cacert-devel - Re: Patch request: Bug #540

Subject: CAcert Code Development list.

List archive

Re: Patch request: Bug #540

Chronological Thread 
  • From: David McIlwraith <archaios AT>
  • To: cacert-devel AT
  • Subject: Re: Patch request: Bug #540
  • Date: Wed, 25 Jul 2012 13:58:20 +1000


It appears that order should not matter; it is strange that it was being 'ignored' in any sense (judging from my brief analysis). The missing 'crlDistributionPoints' was obviously an issue (non-compliance w/ both CPS and board resolution changing it), but I cannot exactly see why, apart from the case of DH (added keyNegotiation), that it should be ignored by OpenSSL entirely. It is indeed missing in the certs issued; I can see that myself.

        X509v3 extensions:
            X509v3 Basic Constraints: critical
            Netscape Comment:
To get your own certificate for FREE head over to
            X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:

            X509v3 Subject Alternative Name:
email:archaios AT

Quote: "The strange thing is: With certificates generated in January we have no problems, but with the new ones. Did you change something in this timeframe affecting the structure of the certificates?
However, the key usage should be selectable in the certificates as we know many apps that have problems with certs without key usage. " -Thomas Reich

From comments page. Ignoring that he said it should be selectable within the certificates, it is stated that certs from Jan were okay.

Judging from my analysis of OpenSSL 0.9.8c (Debian stable, old version), order in the .cnf file does not matter for the attributes. However, it evidently _does_ in the version deployed on the signing-server. Therefore, it is worthwhile investigating why extended usage but not standard usage appears in the ASN.1 attributes of the X.509 certs even _with_ the bugfix.

- David McIlwraith 
<archaios AT>

On 25/07/12 13:15, David McIlwraith wrote:
Hi all,

Sorry, I noticed that one myself and forgot to file a bug report. I'm
not entirely sure why OpenSSL doesn't recognise a keyUsage constraint
after extendedKeyUsage; that in and of itself is a bug in upstream. I'll
see if I can trace it...

- David McIlwraith 
<archaios AT>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Archive powered by MHonArc 2.6.16.

Top of Page