[Pkg-openssl-devel] Bug#422882: openssl: mistake in note on x509v3_config manual page

Javier Barroso Javier.Barroso at isotrol.com
Tue May 15 13:49:20 UTC 2007 

Sorry, my first response was treated as a new thread,

Kurt Roeckx wrote:
> On Tue, May 08, 2007 at 06:03:51PM +0200, Javier Barroso wrote:
>   
>> Package: openssl
>> Version: 0.9.8e-4
>> Severity: normal
>> Tags: patch
>>     
>
> I see no patch?
>   
I have the doubt, If somebody propose a small change I don't know if
it could be consider like a patch. Now than I know about it is not a
patch, I won't tag patch anymore if a patch file is not attached.
>> at NOTE section on x509v3_config manual page says:
>> If an extension is multi-value and a field value must contain a comma the long form must be used otherwise the
>>        comma would be misinterpreted as a field separator. For example:
>>
>>         subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
>>
>>        will produce an error but the equivalent form:
>>
>>         subjectAltName=@subject_alt_section
>>
>>         [subject_alt_section]
>>         subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
>>
>>        is valid.
>>
>> I had to change my openssl.cnf file to samething as:
>> [v3_req]
>> ...
>> crlDistributionPoints = @crl_section
>> [crl_section]
>> URI=ldap://xxx.com/cn=XXX,ou=XXX,o=XXX,c=XXX
>>
>> Original note doesn't work for me.
>>     
>
> And I have no idea what you think is wrong ...
>   
I can't generate the certificate (with a crlDistributionPoints ldap
uri within it) with manual page instruction.

When subjectAltName is crlDistributionPoints, the manual recommend fails:
 subjectAltName=@subject_alt
_section
 [subject_alt_section]
 subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar

I think the correct setup is (at least for crlDistributionPoints):
 subjectAltName=@subject_alt_section
 [subject_alt_section]
 URI=ldap://somehost.com/CN=foo,OU=bar

I can generate my certificate with the second config, but not with the first

Please correct me if I'm wrong

As reference, I read
http://www.mail-archive.com/openssl-dev@openssl.org/msg21907.html 
<http://www.mail-archive.com/openssl-dev@openssl.org/msg21907.html> for
my solution

Thank you
PD: Sorry for my english
> Kurt
>
>   


-- 
Javier Barroso Tristán
Administrador de Redes y Sistemas
DIRECCIÓN DE TECNOLOGÍA:OPERACIONES Y SOPORTE
javier.barroso at isotrol.com
--------------------------------------------

ISOTROL
Edificio BLUENET. Avda. Isaac Newton nº 3, 4ª planta.
Parque Tecnológico Cartuja '93, 41092 Sevilla.
Teléfono: 955 036 800 - Fax: 955 036 849
www.isotrol.com

More information about the Pkg-openssl-devel mailing list