[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
- From: rmeggins@redhat.com
- Date: Wed, 14 Jul 2010 21:14:44 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Howard Chu wrote:
> Rich Megginson wrote:
>> Howard Chu wrote:
>>> Rich Megginson wrote:
>>>> Howard Chu wrote:
>>>>> rmeggins@redhat.com wrote:
>>>>>> Full_Name: Rich Megginson
>>>>>> Version: 2.4.23
>>>>>> OS: Fedora
>>>>>> URL:
>>>>>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.patch
>>>>>>
>>>>>>
>>>>>>
>>>>>> Submission from: (NULL) (76.113.111.209)
>>>>>>
>>>>>>
>>>>>> MozNSS doesn't like self-signed CA certs that are also used for
>>>>>> TLS/SSL server certs (such as generated by openssl req -x509)
>>>>>> CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that
>>>>>> case
>>>>>> so, see if the cert and issuer are the same cert, and allow the
>>>>>> use of it (with a warning)
>>>>>
>>>>> If you checked to see if the issuer is already trusted, I guess the
>>>>> patch is OK.
>>>>>
>>>>> But that aside, MozNSS's behavior sounds correct to me, and our
>>>>> documentation says to use explicit CA certs, separate from the server
>>>>> cert. Is it really a good idea to break this validation check?
>>>> Probably not, but openssl seems to allow it. This provides parity
>>>> with
>>>> the openssl implementation.
>>>>
>>>> This issue came up when testing openldap with NSS support in Fedora.
>>>> The Fedora package creates a self signed CA cert using openssl req
>>>> -x509. This works with openldap+openssl, but fails with
>>>> openldap+moznss.
>>>
>>> In the OpenSSL case, it only succeeds if the cert is configured as
>>> both a CA cert and a server cert. I.e., the client must have been
>>> configured to trust the cert already. I believe for your patch, it
>>> should fail when CERT_FindCertIssuer() returns NULL. No?
>> You are correct. I've uploaded a new patch.
>
> OK, committed. Thanks for the patch.
And thank you for your help.
>
>> URL:
>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714-2.patch<ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.patch>
>>
>>
>> Here is the diff between the two patches:
>> 32,34c32
>> < + /* no issuer - warn and
>> allow */
>> < + status = SECSuccess;
>> < + rc = 0;
>> ---
>> > + /* no issuer - fail */
>> 36c34
>> < + "TLS: warning: the
>> server certificate %s has no issuer - "
>> ---
>> > + "TLS: error: the
>> server certificate %s has no issuer - "
>>
>>>
>>>>> Also, where does this check occur in the main sequence of
>>>>> verification
>>>>> - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already
>>>>> been checked successfully?
>>>> Yes. This check occurs in the cert chain processing, which is done
>>>> last.
>>>
>>> OK.
>>>
>>
>>
>
>