Problem with CRL LDAP URI

lst_hoe02(a)kwsoft.de wrote:

we constantly get errors for a special CRL point from
www.trustcenter.de. It is a LDAP URI as far as i can see and i have
allowed LDAP through our firewall for Djigzo. I can see some traffic
flow but Djigzo always complain with

IO Exception downloading CRL. URI:
ldap://www.trustcenter.de/CN=TC%20TrustCenter%20Class%203%20CA%20II,O=TC%20TrustCenter%20GmbH,OU=rootcerts,DC=trustcenter,DC=de?certificateRevocationList?base?.
Message: null (mitm.common.security.crl.CRLStoreUpdaterImpl) [CRL
Updater thread]

The root certificate contains two CRl distributionpoints:

http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
ldap://www.trustcenter.de/CN=TC%20TrustCenter%20Class%203%20CA%20II,O=TC%20TrustCenter%20GmbH,OU=rootcerts,DC=trustcenter,DC=de?certificateRevocationList?base?

The CRL can be downloaded from the HTTP URL. The LDAP server of trust
center however seems not to have the CRL.

You can get some more info on the exact error message by enabling DEBUG
mode for mitm.common.security.crl.CRLStoreUpdaterImpl (you can enable
DEBUG mode by going to Admin -> Logger Manager)

The error message is:

Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No
Such Object]; remaining name ''

As a test I tried to retrieve the CRL over LDAP using OpenLDAP

ldapsearch -x -H ldap://www.trustcenter.de -b "CN=TC TrustCenter Class 3
CA II,O=TC TrustCenter GmbH,OU=rootcerts,DC=trustcenter,DC=de" -t
certificateRevocationList

This also returns the same kind of error:

# LDAPv3
# base <CN=TC TrustCenter Class 3 CA II,O=TC TrustCenter
GmbH,OU=rootcerts,DC=trustcenter,DC=de> with scope subtree
# filter: (objectclass=*)
# requesting: certificateRevocationList

ยทยทยท

#

# search result
search: 2
result: 32 No such object

It seems that trustcenter's LDAP is at fault.

Because the CRL was already downloaded via HTTP this is not really a
problem because you downloaded a valid CRL.

Kind regards,

Martijn

--
Djigzo open source email encryption