Re: SEC_ERROR_BAD_SIGNATURE with Firefox 3
Christophe Thiaux a écrit : I can't connect on an ssl server with Firefox 3: it displays SEC_ERROR_BAD_SIGNATURE But if i'm connecting with Firefox 2 and accept the certificate definately, then the connexion with Firefox 3 works My certificate is a self signed certificate. Is there other people who are using such certificates ? TIA -- Chris ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Neil wrote, On 2008-02-22 03:05: Here is what I got to work, loosely based on instructions from Kai Engert: cvs -d :pserver:[EMAIL PROTECTED]/cvsroot co mozilla/nsprpub mozilla/security/nss mozilla/security/coreconf mozilla/security/dbm mozilla/dbm make -C mozilla/security/nss nss_build_all Then, in the profile directory run these commands: certutil -d . -S -n example-ca -s CN=ExampleCA,O=ExampleOrg,L=ExampleLoc,ST=ExampleState,C=US -t C,C,C -x -m 0 -w -3 -v 99 -5 certutil -d . -S -n user -s CN=User,O=ExampleOrg,L=ExampleLoc,ST=ExampleState,C=US -c example-ca -t p,p,p -m 40 -v 60 -5 I was then able to create an additional identity for [EMAIL PROTECTED] and specify that certificate for signing/encryption. That user cert you created doesn't have an email address in it. Consequently, there is no way for the identity configuration code to automatically identify it as a candidate for the identity. The code that configures certs for the identity (and presents certs to the user, if a choice is necessary) should give preference to certs with an email address that matches the identity's email address. There are two ways to add an email address to your user cert, the modern standards-compliant way, and the old de-facto standard way. Modern way: Add to your command line this additional option: -7 [EMAIL PROTECTED] Old way: Prepend this to your cert subject name (before the CN=) [EMAIL PROTECTED], I suggest you try both (in separate certs). Oh, and one question. Is that p,p,p really necessary? The 'p' override flags should not be necessary. Please try -t ,,. /Nelson ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Nelson Bolyard wrote: That user cert you created doesn't have an email address in it. Sorry, my bad; I couldn't cut and paste and I overlooked the [EMAIL PROTECTED], in the command line for the email cert. I suggest you try both (in separate certs). They both seem to work, but I like the cert the modern way produces best. Oh, and one question. Is that p,p,p really necessary? The 'p' override flags should not be necessary. Please try -t ,,. Yes, that seems to work too. -- Warning: May contain traces of nuts. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Neil wrote, On 2008-02-22 06:38: Nelson Bolyard wrote: That user cert you created doesn't have an email address in it. Sorry, my bad; I couldn't cut and paste and I overlooked the [EMAIL PROTECTED], in the command line for the email cert. Ah, yes, That's yet a third way, even older than the old way. :) The E attribute identifier was never adopted by the IETF. They adopted the MAIL attribute instead. I suggest you try both (in separate certs). They both seem to work, but I like the cert the modern way produces best. Oh, and one question. Is that p,p,p really necessary? The 'p' override flags should not be necessary. Please try -t ,,. Yes, that seems to work too. Thanks for testing. Glad it worked for you. /Nelson ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: problems building NSS 3.11.4 on Solaris
/bin/sh: ../../../../dist/SunOS5.9_DBG.OBJ: cannot create permissions problem? Go into that directory and try to touch SunOS5.9_DBG.OBJ Wan-Teh Chang [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Thu, Feb 21, 2008 at 4:42 PM, Gatfield, Geoffrey [EMAIL PROTECTED] wrote: Hello, I am having trouble building NSS on Solaris. I did gmake nss_build_all but it fails with this: gmake[3]: Leaving directory `/home/Fips/nss/nss-3.11.4/mozilla/security/nss/cmd/shlibsign/mangle' /bin/sh: ../../../../dist/SunOS5.9_DBG.OBJ: cannot create gmake[2]: *** [../../../../dist/SunOS5.9_DBG.OBJ/lib/libsoftokn3.chk] Error 1 gmake[2]: Leaving directory `/home/Fips/nss/nss-3.11.4/mozilla/security/nss/cmd/shlibsign' gmake[1]: *** [libs] Error 2 gmake[1]: Leaving directory `/home/Fips/nss/nss-3.11.4/mozilla/security/nss/cmd' gmake: *** [libs] Error 2 Has anyone come across this problem before? No, I haven't. I'm afraid that you need to cd into mozilla/security/nss/cmd/shlibsign, run 'gmake' in that directory, and try to narrow down exactly what fails in either the Makefile or the shell script sign.sh (in that directory). Are you using the Sun Studio compiler or GCC? If GCC, are you using the Solaris ld or the GNU ld? Your home directory pathname seems to suggest that you're using NSS for its FIPS validation, right? Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SEC_ERROR_BAD_SIGNATURE with Firefox 3
Christophe Thiaux wrote: Christophe Thiaux a écrit : I can't connect on an ssl server with Firefox 3: it displays SEC_ERROR_BAD_SIGNATURE But if i'm connecting with Firefox 2 and accept the certificate definately, then the connexion with Firefox 3 works My certificate is a self signed certificate. Is there other people who are using such certificates ? Ah... So in Firefox 2 you get a dialog that warns you the certificate is bad? In Firefox 3 it prevents you from connecting? This is operating exactly as planned. both Firefox 2 and Firefox 3 have rejected the certificate as bad since the certificate is inherently untrusted. Firefox 2 rejects the certificate in a way that many users doe not recognize 'rejecting the certificate'. We have fixed this problem in Firefox 3. In general self-signed certificates are bad crypto hygiene. The are basically only useful for a private user connecting to their own webserver for testing. Firefox 3 does provide a way to eventually trust *just that certificate*, but it's not obvious to users. I would say that Firefox 3's new UI is a resounding success as it properly identified your certificate as broken in a way that you would recognize. If you are running a corporate server, you should create a corporate CA. All your users should trust that CA. Then you can issue SSL server certs to your hearts content for those users. If you need a server that other users need to trust, talk to Eddie;). He can issue you server certs for a nominal fee, even free in some cases. bob TIA smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SEC_ERROR_BAD_SIGNATURE with Firefox 3
Robert Relyea wrote: This is operating exactly as planned. both Firefox 2 and Firefox 3 have rejected the certificate as bad since the certificate is inherently untrusted. Firefox 2 rejects the certificate in a way that many users doe not recognize 'rejecting the certificate'. We have fixed this problem in Firefox 3. Bob, expect to receive lots of such mail messages in the near future as FF3 will be released... I would say that Firefox 3's new UI is a resounding success as it properly identified your certificate as broken in a way that you would recognize. ...and also expect that there will be many disgruntled admins who used self-signed certificates up to now. It will take a while until this success will be accepted in a natural way. In the long run however I believe that the PKI trust model will gain in strength as it never did in the past. If you need a server that other users need to trust, talk to Eddie;). He can issue you server certs for a nominal fee, even free in some cases. Allow me to state for the ones who will browse the mailing lists for clues about this error (and many other new and related messages like SEC_ERROR_BAD_SIGNATURE), that basic Class 1 domain validated server certificates are issued for free at http://www.startssl.com/ and more advanced ones after successful Class 2 identity validation (and organization validation). Fees apply only for the validations performed and no fees are charged for the certificate(s) themselves. Basically one isn't limited on the amount of certificates one can create (some restrictions apply). Hope this helps! -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: problems building NSS 3.11.4 on Solaris
Hello, I tried running gmake in the directory and it reported the same error. The shlibsign binary is created but it appears the sign.sh shell script fails. I am building with Sun Studio compiler and it is using Solaris Link Editors: 5.9-1.377. I am using this for it's FIPS compliance. I ran the build on a linux machine and it ran successfully. At the point where the solaris make fails the linux make outputs this: Generating DSA Key PairLibrary File: ../../../security/nss/lib/softoken/Linux2.4_x86_glibc_PTH_DBG.OBJ/libsof tokn3.so 925629 bytes Check File: ../../../security/nss/lib/softoken/Linux2.4_x86_glibc_PTH_DBG.OBJ/libsof tokn3.chk Link: libsoftokn3.chk hash: 20 bytes d7 3f 0b e7 ce 91 88 9a e3 5a 2f 99 98 7d 38 44 33 20 c3 9a signature: 40 bytes a4 d9 4a b7 6e fe 46 00 00 52 47 7b 5e 39 5b 05 3a bc de 75 00 6b 58 f6 a9 bd c6 14 50 24 8f 8a 4a 5d bc ff 85 f6 66 66 done Geoff -Original Message- Hello, I am having trouble building NSS on Solaris. I did gmake nss_build_all but it fails with this: gmake[3]: Leaving directory `/home/Fips/nss/nss-3.11.4/mozilla/security/nss/cmd/shlibsign/mangle' /bin/sh: ../../../../dist/SunOS5.9_DBG.OBJ: cannot create gmake[2]: *** [../../../../dist/SunOS5.9_DBG.OBJ/lib/libsoftokn3.chk] Error 1 gmake[2]: Leaving directory `/home/Fips/nss/nss-3.11.4/mozilla/security/nss/cmd/shlibsign' gmake[1]: *** [libs] Error 2 gmake[1]: Leaving directory `/home/Fips/nss/nss-3.11.4/mozilla/security/nss/cmd' gmake: *** [libs] Error 2 Has anyone come across this problem before? No, I haven't. I'm afraid that you need to cd into mozilla/security/nss/cmd/shlibsign, run 'gmake' in that directory, and try to narrow down exactly what fails in either the Makefile or the shell script sign.sh (in that directory). Are you using the Sun Studio compiler or GCC? If GCC, are you using the Solaris ld or the GNU ld? Your home directory pathname seems to suggest that you're using NSS for its FIPS validation, right? Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Problems building trunk
pkix_pl_oscpcertid.h contains: struct PKIX_PL_OcspCertIDStruct { CERTOCSPCertID *certID; PRBool certIDWasConsumed; }; /* see source file for function documentation */ PKIX_Error *pkix_pl_OcspCertID_RegisterSelf(void *plContext); PKIX_Error * PKIX_PL_OcspCertID_Create( PKIX_PL_Cert *cert, PKIX_PL_Date *validity, PKIX_PL_OcspCertID **object, void *plContext); Unfortunately pkixt.h contains typedef struct PKIX_PL_OcspCertIDStruct PKIX_PL_OcspCertID; I can't get my compiler to accept this. Is this a compiler bug? -- Warning: May contain traces of nuts. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problems building trunk
On Fri, Feb 22, 2008 at 4:35 PM, Neil [EMAIL PROTECTED] wrote: pkix_pl_oscpcertid.h contains: struct PKIX_PL_OcspCertIDStruct { CERTOCSPCertID *certID; PRBool certIDWasConsumed; }; /* see source file for function documentation */ PKIX_Error *pkix_pl_OcspCertID_RegisterSelf(void *plContext); PKIX_Error * PKIX_PL_OcspCertID_Create( PKIX_PL_Cert *cert, PKIX_PL_Date *validity, PKIX_PL_OcspCertID **object, void *plContext); Unfortunately pkixt.h contains typedef struct PKIX_PL_OcspCertIDStruct PKIX_PL_OcspCertID; I can't get my compiler to accept this. Is this a compiler bug? Can you try adding a forward declaration to pkixt.h struct PKIX_PL_OcspCertIDStruct; before that typedef? Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problems building trunk
Wan-Teh Chang wrote: On Fri, Feb 22, 2008 at 4:35 PM, Neil [EMAIL PROTECTED] wrote: pkix_pl_oscpcertid.h contains: struct PKIX_PL_OcspCertIDStruct { CERTOCSPCertID *certID; PRBool certIDWasConsumed; }; /* see source file for function documentation */ PKIX_Error *pkix_pl_OcspCertID_RegisterSelf(void *plContext); PKIX_Error * PKIX_PL_OcspCertID_Create( PKIX_PL_Cert *cert, PKIX_PL_Date *validity, PKIX_PL_OcspCertID **object, void *plContext); Unfortunately pkixt.h contains typedef struct PKIX_PL_OcspCertIDStruct PKIX_PL_OcspCertID; I can't get my compiler to accept this. Is this a compiler bug? Can you try adding a forward declaration to pkixt.h struct PKIX_PL_OcspCertIDStruct; before that typedef? Actually I wasn't clear; it's pkix_pl_oscpcertid.h that my compiler doesn't like, because it doesn't understand PKIX_PL_OcspCertID, but I can try that forward declaration anyway if you like. -- Warning: May contain traces of nuts. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problems building trunk
Neil wrote: Wan-Teh Chang wrote: On Fri, Feb 22, 2008 at 4:35 PM, Neil [EMAIL PROTECTED] wrote: pkix_pl_oscpcertid.h contains: struct PKIX_PL_OcspCertIDStruct { CERTOCSPCertID *certID; PRBool certIDWasConsumed; }; /* see source file for function documentation */ PKIX_Error *pkix_pl_OcspCertID_RegisterSelf(void *plContext); PKIX_Error * PKIX_PL_OcspCertID_Create( PKIX_PL_Cert *cert, PKIX_PL_Date *validity, PKIX_PL_OcspCertID **object, void *plContext); Unfortunately pkixt.h contains typedef struct PKIX_PL_OcspCertIDStruct PKIX_PL_OcspCertID; I can't get my compiler to accept this. Is this a compiler bug? Can you try adding a forward declaration to pkixt.h struct PKIX_PL_OcspCertIDStruct; before that typedef? Actually I wasn't clear; it's pkix_pl_oscpcertid.h that my compiler doesn't like, because it doesn't understand PKIX_PL_OcspCertID, but I can try that forward declaration anyway if you like. On second thoughts the problem seems to be that someone is including pkix_pl_oscpcertid.h before pkixt.h but I'm not sure how to verify this as I'm cross-compiling, which isn't supported in NSS as far as I know. -- Warning: May contain traces of nuts. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problems building trunk
Neil wrote, On 2008-02-22 17:05: On second thoughts the problem seems to be that someone is including pkix_pl_oscpcertid.h before pkixt.h Doesn't the compiler name the .c file that it's trying to compile when this error occurs? In any case, I'd guess the right fix is for pkix_pl_oscpcertid.h to include pkixt.h, since it depends on types defined there. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto