[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
From: rmeggins@redhat.com
Date: Wed, 14 Jul 2010 21:14:44 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Howard Chu wrote:
> Rich Megginson wrote:
>> Howard Chu wrote:
>>> Rich Megginson wrote:
>>>> Howard Chu wrote:
>>>>> rmeggins@redhat.com wrote:
>>>>>> Full_Name: Rich Megginson
>>>>>> Version: 2.4.23
>>>>>> OS: Fedora
>>>>>> URL:
>>>>>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.patch 
>>>>>>
>>>>>>
>>>>>>
>>>>>> Submission from: (NULL) (76.113.111.209)
>>>>>>
>>>>>>
>>>>>> MozNSS doesn't like self-signed CA certs that are also used for
>>>>>> TLS/SSL server certs (such as generated by openssl req -x509)
>>>>>> CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that
>>>>>> case
>>>>>> so, see if the cert and issuer are the same cert, and allow the
>>>>>> use of it (with a warning)
>>>>>
>>>>> If you checked to see if the issuer is already trusted, I guess the
>>>>> patch is OK.
>>>>>
>>>>> But that aside, MozNSS's behavior sounds correct to me, and our
>>>>> documentation says to use explicit CA certs, separate from the server
>>>>> cert. Is it really a good idea to break this validation check?
>>>> Probably not, but openssl seems to allow it.  This provides parity 
>>>> with
>>>> the openssl implementation.
>>>>
>>>> This issue came up when testing openldap with NSS support in Fedora.
>>>> The Fedora package creates a self signed CA cert using openssl req
>>>> -x509.  This works with openldap+openssl, but fails with
>>>> openldap+moznss.
>>>
>>> In the OpenSSL case, it only succeeds if the cert is configured as
>>> both a CA cert and a server cert. I.e., the client must have been
>>> configured to trust the cert already. I believe for your patch, it
>>> should fail when CERT_FindCertIssuer() returns NULL. No?
>> You are correct.  I've uploaded a new patch.
>
> OK, committed. Thanks for the patch.
And thank you for your help.
>
>> URL: 
>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714-2.patch<ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.patch> 
>>
>>
>> Here is the diff between the two patches:
>> 32,34c32
>> <  +                                     /* no issuer - warn and 
>> allow */
>> <  +                                     status = SECSuccess;
>> <  +                                     rc = 0;
>> ---
>>   >  +                                     /* no issuer - fail */
>> 36c34
>> <  +                                                "TLS: warning: the
>> server certificate %s has no issuer - "
>> ---
>>   >  +                                                "TLS: error: the
>> server certificate %s has no issuer - "
>>
>>>
>>>>> Also, where does this check occur in the main sequence of 
>>>>> verification
>>>>> - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already
>>>>> been checked successfully?
>>>> Yes.  This check occurs in the cert chain processing, which is done
>>>> last.
>>>
>>> OK.
>>>
>>
>>
>
>

Prev by Date: Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
Next by Date: ITS#6576
Index(es):
- Chronological
- Thread