Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

openssl config; full form of multi-valued field

490 views
Skip to first unread message

A.B.COKO/\OB

unread,
May 14, 2011, 4:55:44 AM5/14/11
to
Dear ladies/gentlemen,

I'd like to clear up the situation with the feature described in manual
http://openssl.org/docs/apps/x509v3_config.htm (attached below).

I tried even that same example from the manual, with 2 different versions
of open ssl (0.9.7 linux, 1.0.0 windows) -- in both cases this example
does not work. But the feature is highly valuable! (for ladap URIs,
you know).
So, any hint, please. (I can "work around" the problem with row
format of fields, but it's not a nice solution).

Alexey Sokolov, Yaroslavl Univ., Russia

The message when example block is included:

Error Loading extension section v3_ca
3680:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported
option:.\crypto\x509v3\v3_alt.c:557:name=subjectAltName
3680:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:93:name=subjectAltName,
value=@subject_alt_section


> NOTES
> If an extension is multi-value and a field value must contain a comma
> the long form must be used otherwise the comma would be misinterpreted as a field separator.
> For example:
> subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
> will produce an error but the equivalent form:
> subjectAltName=@subject_alt_section
> [subject_alt_section]
> subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar


---
Alexey V. Sokolov,
Mailto: a...@uniyar.ac.ru
Callto: (4852) 248203 (ext.16)
PGPkey: http://univ.uniyar.ac.ru/~abc/a...@univ.asc

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Victor Duchovni

unread,
May 14, 2011, 11:05:11 AM5/14/11
to
On Sat, May 14, 2011 at 12:55:44PM +0400, A.B.COKO/\OB wrote:

> > For example:
> > subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
> > will produce an error but the equivalent form:
> > subjectAltName=@subject_alt_section
> > [subject_alt_section]
> > subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar

This is not the right syntax, for example with DNS names:

subjectAltName = @alt_names

[ alt_names ]
DNS.1 = a.example.com
DNS.2 = b.example.com
DNS.3 = c.example.com

So your [ alt_section ] needs to be a list of

<type>.<instance_number> = value

lines. Where <type> is a valid subject altname type, and <instance_number>
is an integer counter that starts at (and increments by) 1 for each type.

--
Viktor.

A.B.COKO/\OB

unread,
May 16, 2011, 5:52:48 AM5/16/11
to
Viktor, thank you a lot for the syntax: really that manual IS misleading!
Well, now I can configure good (for Microsoft) CRL distribution points:
crlDistributionPoints = ca_cdp
[ ca_cdp ]
fullname = @ca_cdp_uries
reasons = keyCompromise
[ ca_cdp_uries ]
URI.1 = ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,CN=Public%20Key%20Services,CN=Services,....etc
URI.2 = http://issuerw2k8.wud.lan/CertEnroll/ROOTCA.crl

(2) *** But: ***
how shall I cope with Authority Info Access?
Manual says: authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
I need ldap URI with commas inside. And OpenSSL refuses my both assumptions:
(a) authorityInfoAccess = some_section
(b) authorityInfoAccess = caIssuers;@some_other_section

If there were a way to escape comma symbol in string values where sequences expected!
So please, more hints..

Alexey

Alexandre Aufrere

unread,
May 16, 2011, 7:07:54 AM5/16/11
to
I'd try that way:
authorityInfoAccess = @aias

[aias]
caIssuers;URI.1=http://pervaya.ssilka/..
caIssuers;URI.2=http://vtoraya.ssilka/..

but this is just my guess... might be wrong.

Alexandre

--
Alexandre Aufrere - OpenTrust

A.B.COKO/\OB

unread,
May 16, 2011, 8:59:47 AM5/16/11
to

Alexandre, you've got it!!!

Monday, May 16, 2011, 3:07:54 PM, you wrote:
AA> I'd try that way:
AA> authorityInfoAccess = @aias
AA> [aias]
AA> caIssuers;URI.1=http://pervaya.ssilka/..
AA> caIssuers;URI.2=http://vtoraya.ssilka/..

(3) **** So maybe you know how to deal with unknown (to ssl)
extentions? For example:
MS revocation lists have 1.3.6.1.4.1.311.21.14 - CRL_SELF_CDP
Its structure is much the same as crlDistributionPoints (I even
inserted row format data, successfully).
0:d=0 hl=3 l= 180 cons: SEQUENCE
3:d=1 hl=3 l= 177 cons: SEQUENCE
6:d=2 hl=3 l= 174 cons: cont [ 0 ]
9:d=3 hl=3 l= 171 cons: cont [ 0 ]
12:d=4 hl=3 l= 168 prim: cont [ 6 ]

I tried:
1.3.6.1.4.1.311.21.14 = ASN1:SEQUENCE:crl_self
[ crl_self ]
URI.1 = UTF8:ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,CN=Public....
URI.2 = UTF8:http://issuerw2k8.wud.lan/CertEnroll/RootCA.crl
or
1.3.6.1.4.1.311.21.14 = ASN1:SEQUENCE:crl_self
[ crl_self ]
fullname = SEQUENCE:crl_self_2
[ crl_self_2 ]
URI.1 = UTF8:ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,........
URI.2 = UTF8:http://issuerw2k8.wud.lan/CertEnroll/RootCA.crl

Inner content differs, software do not recognize such object.

Your general advice: Can one construct an object for openssl.conf
just looking at its DER (or parsed) content, such as above??

Thanks in advance, Alex

0 new messages