Skip to Content.
Sympa Menu

cacert-devel - Re: Patch request: Bug #540

Subject: CAcert Code Development list.

List archive

Re: Patch request: Bug #540

Chronological Thread 
  • From: David McIlwraith <archaios AT>
  • To: Michael Tänzer <michael.taenzer AT>
  • Cc: cacert-devel AT
  • Subject: Re: Patch request: Bug #540
  • Date: Wed, 25 Jul 2012 20:34:23 +1000

Hi Michael,

On 25/07/12 20:19, Michael Tänzer wrote:
Hi David,

On 25.07.2012 05:58, David McIlwraith wrote:
It appears that order should not matter; it is strange that it was being
'ignored' in any sense (judging from my brief analysis). The missing
'crlDistributionPoints' was obviously an issue (non-compliance w/ both
CPS and board resolution changing it), but I cannot exactly see why,
apart from the case of DH (added keyNegotiation), that it should be
ignored by OpenSSL entirely. It is indeed missing in the certs issued; I
can see that myself.

         X509v3 extensions:
             X509v3 Basic Constraints: critical
             Netscape Comment:
                 To get your own certificate for FREE head over to
             X509v3 Extended Key Usage:
                 E-mail Protection, TLS Web Client Authentication,
Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape
Server Gated Crypto
             Authority Information Access:
                 OCSP - URI:

             X509v3 Subject Alternative Name:
email:archaios AT

This is on the test server or on the live system? On the live system the
KeyUsage is not deployed yet.

Live system. I know it's not deployed yet. What I meant was that the patch submitted changes the _order_ of the keyUsage line -- there's no (basic) keyUsage at ALL specified on any certs as it stands (only extendedKeyUsage), which means it appears to be ignoring keyUsage entirely when generating them. As for the root certs, I filed a separate bug concerning those; they should only have certSigning and cRLSigning as keyUsage attributes (when they are to be replaced, in any case).

- David McIlwraith 
<archaios AT>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Archive powered by MHonArc 2.6.16.

Top of Page