Sujet : Re: Client Auth certificates, threat or menace?
De : INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please) (at) *nospam* esmtp.org (Claus Aßmann)
Groupes : comp.mail.sendmailDate : 21. May 2025, 06:33:02
Autres entêtes
Organisation : MGT Consulting
Message-ID : <100joie$qv6$1@news.misty.com>
References : 1 2 3
User-Agent : trn 4.0-test77 (Sep 1, 2010)
John Levine wrote:
The claim, which I'm not sure I believe, is that the calls to openssl
have default values
that want the client flag.
Maybe you can give it a try? Or those who make the claim can show
the problem?
It seems to be real based on the openssl doc:
CERTIFICATE EXTENSIONS
The -purpose option checks the certificate extensions and
determines what the certificate can be used for. The actual
checks done are rather complex and include various hacks and
workarounds to handle broken certificates and software.
...
! The extended key usage extension places additional restrictions
! on the certificate uses. If this extension is present (whether
! critical or not) the key can only be used for the purposes
! specified.
A complete description of each test is given below. The
comments about basicConstraints and keyUsage and V1 certificates
above apply to all CA certificates.
SSL Client
The extended key usage extension must be absent or include
the "web client authentication" OID. keyUsage must be
absent or it must have the digitalSignature bit set.
Netscape certificate type must be absent or it must have
the SSL client bit set.
-- Note: please read the netiquette before posting. I will almost neverreply to top-postings which include a full copy of the previousarticle(s) at the end because it's annoying, shows that the posteris too lazy to trim his article, and it's wasting the time of all readers.
Client Auth certificates, threat or menace?
Re: Client Auth certificates, threat or menace?