Subject: CAcert Code Development list.
List archive
- From: David McIlwraith <archaios AT cacert.org>
- To: cacert-devel AT lists.cacert.org
- Subject: Re: Patch request: Bug #540
- Date: Wed, 25 Jul 2012 13:58:20 +1000
Hi,
It appears that order should not matter; it is strange that it was being 'ignored' in any sense (judging from my brief analysis). The missing 'crlDistributionPoints' was obviously an issue (non-compliance w/ both CPS and board resolution changing it), but I cannot exactly see why, apart from the case of DH (added keyNegotiation), that it should be ignored by OpenSSL entirely. It is indeed missing in the certs issued; I can see that myself.
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
To get your own certificate for FREE head over to http://www.CAcert.org
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
Authority Information Access:
OCSP - URI:http://ocsp.cacert.org
X509v3 Subject Alternative Name:
email:archaios AT cacert.org
Quote: "The strange thing is: With certificates generated in January we have no problems, but with the new ones. Did you change something in this timeframe affecting the structure of the certificates?
However, the key usage should be selectable in the certificates as we know many apps that have problems with certs without key usage. " -Thomas Reich
From comments page. Ignoring that he said it should be selectable within the certificates, it is stated that certs from Jan were okay.
Judging from my analysis of OpenSSL 0.9.8c (Debian stable, old version), order in the .cnf file does not matter for the attributes. However, it evidently _does_ in the version deployed on the signing-server. Therefore, it is worthwhile investigating why extended usage but not standard usage appears in the ASN.1 attributes of the X.509 certs even _with_ the bugfix.
Regards,
- David McIlwraith
<archaios AT cacert.org>
On 25/07/12 13:15, David McIlwraith wrote:
Hi all,
Sorry, I noticed that one myself and forgot to file a bug report. I'm
not entirely sure why OpenSSL doesn't recognise a keyUsage constraint
after extendedKeyUsage; that in and of itself is a bug in upstream. I'll
see if I can trace it...
Regards,
- David McIlwraith
<archaios AT cacert.org>
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Patch request: Bug #540, Michael Tänzer, 07/24/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, Michael Tänzer, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, Michael Tänzer, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/25/2012
- Re: Patch request: Bug #540, Wytze van der Raay, 07/25/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/26/2012
- Re: Patch request: Bug #540, Wytze van der Raay, 07/26/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/26/2012
- Re: Patch request: Bug #540, Wytze van der Raay, 07/27/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/27/2012
- Re: Patch request: Bug #540, INOPIAE (Marcus), 07/27/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/27/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
Archive powered by MHonArc 2.6.16.