Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs

[hyc@symas.com]

Rich Megginson wrote:
> Howard Chu wrote:
>> rmeggins@redhat.com wrote:
>>> Full_Name: Rich Megginson
>>> Version: 2.4.23
>>> OS: Fedora
>>> URL:
>>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.patch
>>>
>>> Submission from: (NULL) (76.113.111.209)
>>>
>>>
>>> MozNSS doesn't like self-signed CA certs that are also used for
>>> TLS/SSL server certs (such as generated by openssl req -x509)
>>> CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that
>>> case
>>> so, see if the cert and issuer are the same cert, and allow the
>>> use of it (with a warning)
>>
>> If you checked to see if the issuer is already trusted, I guess the
>> patch is OK.
>>
>> But that aside, MozNSS's behavior sounds correct to me, and our
>> documentation says to use explicit CA certs, separate from the server
>> cert. Is it really a good idea to break this validation check?
> Probably not, but openssl seems to allow it.  This provides parity with
> the openssl implementation.
>
> This issue came up when testing openldap with NSS support in Fedora.
> The Fedora package creates a self signed CA cert using openssl req
> -x509.  This works with openldap+openssl, but fails with openldap+moznss.

In the OpenSSL case, it only succeeds if the cert is configured as both a CA 
cert and a server cert. I.e., the client must have been configured to trust 
the cert already. I believe for your patch, it should fail when 
CERT_FindCertIssuer() returns NULL. No?

>> Also, where does this check occur in the main sequence of verification
>> - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already
>> been checked successfully?
> Yes.  This check occurs in the cert chain processing, which is done last.

OK.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/