[Mono-bugs] [Bug 78226][Wis] Changed - Unable to bind to LDAP server via SSL using Novell.Directory.Ldap

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Fri Apr 28 06:44:45 EDT 2006


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by directhex at apebox.org.

http://bugzilla.ximian.com/show_bug.cgi?id=78226

--- shadow/78226	2006-04-27 21:18:18.000000000 -0400
+++ shadow/78226.tmp.17851	2006-04-28 06:44:45.000000000 -0400
@@ -169,6 +169,27 @@
 78226.ldap.pem: OK
 
 I'll re-read the RFCs about the "lack" of (any type) key usage in v3
 certificates. In the mean time, I suggest you regenerate the server
 certificates (not your CA) to include an extended key usage with the
 oid 1.3.6.1.5.5.7.3.1 (Server Authentication).
+
+------- Additional Comments From directhex at apebox.org  2006-04-28 06:44 -------
+>> All certificates were generated with OpenLDAP.
+
+> Are you sure they were generated by OpenLDAP and not by OpenSSL ?
+
+Too many "Open"s for late at night.
+
+> I'll re-read the RFCs about the "lack" of (any type) key usage in v3
+> certificates. In the mean time, I suggest you regenerate the server
+> certificates (not your CA) to include an extended key usage with the
+> oid 1.3.6.1.5.5.7.3.1 (Server Authentication).
+
+That worked. For the benefit of Google, the required voodoo was adding
+"extendedKeyUsage = 1.3.6.1.5.5.7.3.1" below "[ usr_cert ]" in
+openssl.cnf.
+
+As far as I can read the RFCs, RFC3280 suggests that whilst purpose is
+optional, "Certificate using applications MAY require that a
+particular purpose be indicated in order for the certificate to be
+acceptable to that application." - That said, I may be misinterpreting.


More information about the mono-bugs mailing list