I'd like to clear up the situation with the feature described in manual
http://openssl.org/docs/apps/x509v3_config.htm (attached below).
I tried even that same example from the manual, with 2 different versions
of open ssl (0.9.7 linux, 1.0.0 windows) -- in both cases this example
does not work. But the feature is highly valuable! (for ladap URIs,
you know).
So, any hint, please. (I can "work around" the problem with row
format of fields, but it's not a nice solution).
Alexey Sokolov, Yaroslavl Univ., Russia
The message when example block is included:
Error Loading extension section v3_ca
3680:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported
option:.\crypto\x509v3\v3_alt.c:557:name=subjectAltName
3680:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:93:name=subjectAltName,
value=@subject_alt_section
> NOTES
> If an extension is multi-value and a field value must contain a comma
> the long form must be used otherwise the comma would be misinterpreted as a field separator.
> For example:
> subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
> will produce an error but the equivalent form:
> subjectAltName=@subject_alt_section
> [subject_alt_section]
> subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
---
Alexey V. Sokolov,
Mailto: a...@uniyar.ac.ru
Callto: (4852) 248203 (ext.16)
PGPkey: http://univ.uniyar.ac.ru/~abc/a...@univ.asc
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
> > For example:
> > subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
> > will produce an error but the equivalent form:
> > subjectAltName=@subject_alt_section
> > [subject_alt_section]
> > subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
This is not the right syntax, for example with DNS names:
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = a.example.com
DNS.2 = b.example.com
DNS.3 = c.example.com
So your [ alt_section ] needs to be a list of
<type>.<instance_number> = value
lines. Where <type> is a valid subject altname type, and <instance_number>
is an integer counter that starts at (and increments by) 1 for each type.
--
Viktor.
(2) *** But: ***
how shall I cope with Authority Info Access?
Manual says: authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
I need ldap URI with commas inside. And OpenSSL refuses my both assumptions:
(a) authorityInfoAccess = some_section
(b) authorityInfoAccess = caIssuers;@some_other_section
If there were a way to escape comma symbol in string values where sequences expected!
So please, more hints..
Alexey
[aias]
caIssuers;URI.1=http://pervaya.ssilka/..
caIssuers;URI.2=http://vtoraya.ssilka/..
but this is just my guess... might be wrong.
Alexandre
--
Alexandre Aufrere - OpenTrust
Monday, May 16, 2011, 3:07:54 PM, you wrote:
AA> I'd try that way:
AA> authorityInfoAccess = @aias
AA> [aias]
AA> caIssuers;URI.1=http://pervaya.ssilka/..
AA> caIssuers;URI.2=http://vtoraya.ssilka/..
(3) **** So maybe you know how to deal with unknown (to ssl)
extentions? For example:
MS revocation lists have 1.3.6.1.4.1.311.21.14 - CRL_SELF_CDP
Its structure is much the same as crlDistributionPoints (I even
inserted row format data, successfully).
0:d=0 hl=3 l= 180 cons: SEQUENCE
3:d=1 hl=3 l= 177 cons: SEQUENCE
6:d=2 hl=3 l= 174 cons: cont [ 0 ]
9:d=3 hl=3 l= 171 cons: cont [ 0 ]
12:d=4 hl=3 l= 168 prim: cont [ 6 ]
I tried:
1.3.6.1.4.1.311.21.14 = ASN1:SEQUENCE:crl_self
[ crl_self ]
URI.1 = UTF8:ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,CN=Public....
URI.2 = UTF8:http://issuerw2k8.wud.lan/CertEnroll/RootCA.crl
or
1.3.6.1.4.1.311.21.14 = ASN1:SEQUENCE:crl_self
[ crl_self ]
fullname = SEQUENCE:crl_self_2
[ crl_self_2 ]
URI.1 = UTF8:ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,........
URI.2 = UTF8:http://issuerw2k8.wud.lan/CertEnroll/RootCA.crl
Inner content differs, software do not recognize such object.
Your general advice: Can one construct an object for openssl.conf
just looking at its DER (or parsed) content, such as above??
Thanks in advance, Alex