[Mono-bugs] [Bug 78226][Wis] Changed - Unable to bind to LDAP server via SSL using Novell.Directory.Ldap

Thu Apr 27 21:18:18 EDT 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by sebastien at ximian.com.

http://bugzilla.ximian.com/show_bug.cgi?id=78226

--- shadow/78226	2006-04-27 18:15:28.000000000 -0400
+++ shadow/78226.tmp.4088	2006-04-27 21:18:18.000000000 -0400
@@ -1,14 +1,14 @@
 Bug#: 78226
 Product: Mono: Class Libraries
 Version: 1.1
-OS: 
+OS: unknown
 OS Details: 
-Status: NEW   
+Status: ASSIGNED   
 Resolution: 
-Severity: 
+Severity: Unknown
 Priority: Wishlist
 Component: Mono.Security
 AssignedTo: sebastien at ximian.com                            
 ReportedBy: directhex at apebox.org               
 QAContact: mono-bugs at ximian.com
 TargetMilestone: ---
@@ -115,6 +115,60 @@
 
 
 ------- Additional Comments From directhex at apebox.org  2006-04-27 18:15 -------
 Created an attachment (id=16859)
 Certificate of failing server, signed by previously attached CA
 
+
+------- Additional Comments From sebastien at ximian.com  2006-04-27 21:18 -------
+> All certificates were generated with OpenLDAP.
+
+Are you sure they were generated by OpenLDAP and not by OpenSSL ?
+
+
+> openssl verify -purpose sslserver osc-ca.pem
+
+That seems to check the ca certificate, not the SSL server certificate
+and it should return a "semi-error", like:
+
+openssl verify -verbose -purpose sslserver 78226.ca.pem
+78226.ca.pem: /C=UK/ST=Oxfordshire/L=Oxford/O=University of
+Oxford/OU=Oxford Supercomputing Centre/CN=Jo
+Shields/emailAddress=jms at comlab.osc.ox.ac.uk
+error 18 at 0 depth lookup:self signed certificate
+OK
+
+because it's a self signed certificate (unless you used other options).
+
+
+Anyway OpenSSL verify is anemic. It report your certificate as "valid"
+for all purposes, even for signing CRL
+
+poupou at pollux:~/src/bugzilla> openssl verify -verbose -CAfile
+78226.ca.pem -purpose sslserver 78226.ldap.pem
+78226.ldap.pem: OK
+poupou at pollux:~/src/bugzilla> openssl verify -verbose -CAfile
+78226.ca.pem -purpose sslclient 78226.ldap.pem
+78226.ldap.pem: OK
+poupou at pollux:~/src/bugzilla> openssl verify -verbose -CAfile
+78226.ca.pem -purpose nssslserver 78226.ldap.pem
+78226.ldap.pem: OK
+poupou at pollux:~/src/bugzilla> openssl verify -verbose -CAfile
+78226.ca.pem -purpose smimesign 78226.ldap.pem
+78226.ldap.pem: OK
+poupou at pollux:~/src/bugzilla> openssl verify -verbose -CAfile
+78226.ca.pem -purpose smimeencrypt 78226.ldap.pem
+78226.ldap.pem: OK
+poupou at pollux:~/src/bugzilla> openssl verify -verbose -CAfile
+78226.ca.pem -purpose crlsign 78226.ldap.pem
+78226.ldap.pem: OK
+poupou at pollux:~/src/bugzilla> openssl verify -verbose -CAfile
+78226.ca.pem -purpose any 78226.ldap.pem
+78226.ldap.pem: OK
+poupou at pollux:~/src/bugzilla> openssl verify -verbose -CAfile
+78226.ca.pem -purpose ocsphelper 78226.ldap.pem
+78226.ldap.pem: OK
+
+I'll re-read the RFCs about the "lack" of (any type) key usage in v3
+certificates. In the mean time, I suggest you regenerate the server
+certificates (not your CA) to include an extended key usage with the
+oid 1.3.6.1.5.5.7.3.1 (Server Authentication).
