Alberto Lopes wrote: > > I dunno if this message was best sent directly to you or posted on the > list; if so, please feel free to forward it.
Please post to python-ldap-dev@lists.sourceforge.net (Cc:-ed). > Apparentely the "SSL server certificate with blank subject field" > problem doesn't end in reissuing the certificate, with a filled subject > field. Hmm...without seeing the certs and/or error messages I can't tell. > In the blog post > http://blogs.technet.com/askds/archive/2008/09/16/third-party-application-fails-using-ldap-over-ssl.aspx, > the author quotes the RFC 3280 (Internet X.509 PKI spec), in which it is > stated that when the SAN field is marked as critical and is used to > express the only identity to the subject, the subject field must be empty. Frankly, there are lots of interop issues regarding PKIX. You don't want to know all of them. So I wouldn't mark SAN extension critical and add the hostname in the CN attribute of subject name. > So, strictly speaking, a certificate with blank subject field can be > conformant to the RFC. In that sense, I think that openssl is already > conformant, since the "openssl -c" command doesn't give me an error > message. But maybe openLDAP or python-ldap is not conformant, for giving > me the error message I talked about in my first message. Does it work with the OpenLDAP command-line tools? If openssl s_client just works fine and the OpenLDAP command-line tool ldapsearch does not it would be good to raise this on the openldap-software mailing list. python-ldap itself does not do anything special. It just passes all paramaters to the OpenLDAP lib. Ciao, Michael. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
