Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAP address in crlDistributionPoints has commas in it

265 views
Skip to first unread message

Roach, Mark R.

unread,
Mar 14, 2001, 4:34:34 PM3/14/01
to
I can't sign any certificates if I have an LDAP address that includes commas
(between dn components) under crlDistributionPoints... It works fine for
http addresses and ldap addresses that don't have commas, but I'm stuck...
Are there escape codes I need to use '\' didn't seem to work... out of
ideas...

the error is:

Error Loading extension section usr_cert
27626:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME:missing
value:v3_alt.c:335:
27626:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extensions:v3_conf.c:91:name=crlDistributionPoints,
value=URI:ldap://10.13.1.129/cn=this,dc=is?atest


Thanks for any help you can give
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr S N Henson

unread,
Mar 14, 2001, 6:08:51 PM3/14/01
to

"Roach, Mark R." wrote:
>
> I can't sign any certificates if I have an LDAP address that includes commas
> (between dn components) under crlDistributionPoints... It works fine for
> http addresses and ldap addresses that don't have commas, but I'm stuck...
> Are there escape codes I need to use '\' didn't seem to work... out of
> ideas...
>
> the error is:
>
> Error Loading extension section usr_cert
> 27626:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME:missing
> value:v3_alt.c:335:
> 27626:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
> extensions:v3_conf.c:91:name=crlDistributionPoints,
> value=URI:ldap://10.13.1.129/cn=this,dc=is?atest
>

This is an unfortunate side effect of the way the CONF parser works and
I never got time to fix this. If you put a '\' in there it gets stripped
by the conf code before the extension routines even see it.

Try using the alternative form of the multivalue extensions.

Instead of doing

crlDirstributionPoints=URI:http://some/uri,URI:ldap://10.13.1.129/cn=this,dc=is?atest

try:

crlDirstributionPoints=@crldp_section

[ crldp_section ]

URI.1=http://some/uri
URI.2=ldap://10.13.1.129/cn=this,dc=is?atest

for more info see doc/openssl.txt

Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.

0 new messages