Re: IIS with client certificate incompatible with Mozilla ?
[EMAIL PROTECTED] (Richie B.) wrote in message news:[EMAIL PROTECTED]... Nelson B [EMAIL PROTECTED] wrote: The possible explanations include: a) the server is not sending the name of the cert's issuer in the client cert request (a server misconfiguration), Possible. I'm trying to troubleshoot this using ssldump. Ok, the troubleshooting is done. IIS sends a long list of CAs with the certificate request, but not the one my client certificate is signed with. I imported another certificate into Mozilla, and now I get the popup to select the client certificate to use. The solution seems to be to get IIS to send the correct CA certificate (RSA Data Security) list. Since this is not a Mozilla issue at all, I won't bore you with this any longer. Thanks a lot for your suggestions, I doubt I would have been able to solve this otherwise. Richie
Re: IIS with client certificate incompatible with Mozilla ?
Richie B. wrote: IIS sends a long list of CAs with the certificate request, but not the one my client certificate is signed with. You said it worked with IE 6. If this is the problem, you should get exactly the same behaviour with IE 6 than with Mozilla. The solution seems to be to get IIS to send the correct CA certificate (RSA Data Security) list. Since this is not a Mozilla issue at all, I won't bore you with this any longer. BTW the list of root IIS presents is completely unrelated to the actual list of roots you've told it to trust for client certificates. IIS will only send you in this list the root certificates present inside the root certificate store of the computer and enabled for SSL. Mozilla will need to have locally available the intermediate certificate to go up to the root. Some other web servers do not behave this way and have less constraints.
Re: IIS with client certificate incompatible with Mozilla ?
Richie B. wrote: I have a customer who is running IIS 5.0. We need to contact a page on that server that is protected with SSL and requires client certificates. I have imported the client certificate in Mozilla 1.4 on Linux. When I access the page, the server responds: HTTP 403.7 - Forbidden: Client certificate required The possible explanations include: a) the server is not sending the name of the cert's issuer in the client cert request (a server misconfiguration), b) the browser does not have the private key for the user cert, c) the browser does not have the complete chain of CA certs for the user cert d) The user cert, or one of the CAs in its chain is not valid for SSL client authentication, due to the presence or absense of some certificate extension that defines the valid usages for the cert. e) the user cert has expired or is not yet valid, or one of the certs in its chain has expired or is not yet valid. You can check the last 4 items using the certificate manager built into moz 1.4. The cert should appear in the tab of your certs, and should appear to be valid for SSL, and the cert chain should appear to be complete, up to a known root CA cert. -- Nelson B
Re: IIS with client certificate incompatible with Mozilla ?
Richie, Richie B. wrote: I have a customer who is running IIS 5.0. We need to contact a page on that server that is protected with SSL and requires client certificates. I have imported the client certificate in Mozilla 1.4 on Linux. When I access the page, the server responds: HTTP 403.7 - Forbidden: Client certificate required The User Identification Request popup is never shown. However, when I connect with IE6, a similar popup is shown, and I can access the page. Also, using openssl s_client -cert client.pem works fine and shows the page. I have tried to debug this, but the problem is that the server only requests the client certificate after the browsers sends the GET statement. So, the first (readable) handshake is without client certificates. The renegotiation that happens after the GET is encrypted and I cannot see the problem. I am guessing this is an IIS issue, but I cannot prove it. Has anyone else seen this? Any ideas? First, make sure that you set your client to always prompt you to select the certificate. I don't know how you specifically configure this in IIS, however : When doing client auth, the SSL protocol requires the server to send the subject name(s) of the trusted certificate authority(ies) to the client. You need to configure the certificates you trust for client auth in IIS. Some misconfigured servers may not send over the subject list. If that's the case, Mozilla may have a hard time choosing a client certificate. If you trust the CAs it will most likely solve your problem. It may also be that your client certificate was incorrectly imported in Mozilla, or its issuer doesn't match the subject sent over by IIS. If none of this applies, there may be a Mozilla/PSM/NSS bug, but in order to solve it we most likely will have to be able to access your server.
Re: IIS with client certificate incompatible with Mozilla ?
In article [EMAIL PROTECTED], [EMAIL PROTECTED] SPAM-HERE.com says... I have a customer who is running IIS 5.0. We need to contact a page on that server that is protected with SSL and requires client certificates. I have imported the client certificate in Mozilla 1.4 on Linux. When I access the page, the server responds: HTTP 403.7 - Forbidden: Client certificate required The User Identification Request popup is never shown. However, when I connect with IE6, a similar popup is shown, and I can access the page. Also, using openssl s_client -cert client.pem works fine and shows the page. See what list of client CAs you get with s_client. If you don't get any try using the -prexit option after you manually type in the GET. See if the CA you want to use is in the list. If it isn't IIS isn't configured to send your CA in its list. I can't quite recall how to add a CA to the list IIS sends for client auth. I *think* you had to check the physical stores checkbox and something like trusted root authorities then local computer in the import wizard. Steve.
Re: IIS with client certificate incompatible with Mozilla ?
Richie B. wrote: [...] I have imported the client certificate in Mozilla 1.4 on Linux. When I access the page, the server responds: HTTP 403.7 - Forbidden: Client certificate required [...] certificates. The renegotiation that happens after the GET is encrypted and I cannot see the problem. Use ssldump (http://www.rtfm.com/ssldump/). If you provide it with the private key of the server it will be able to fully decode the connexion. You can even record it in tcpdump format and decode it with ssldump later. I am guessing this is an IIS issue, but I cannot prove it. I am not so sure. It enhanced, but earlier Mozilla version had problems in such situation no other software had.
IIS with client certificate incompatible with Mozilla ?
I have a customer who is running IIS 5.0. We need to contact a page on that server that is protected with SSL and requires client certificates. I have imported the client certificate in Mozilla 1.4 on Linux. When I access the page, the server responds: HTTP 403.7 - Forbidden: Client certificate required The User Identification Request popup is never shown. However, when I connect with IE6, a similar popup is shown, and I can access the page. Also, using openssl s_client -cert client.pem works fine and shows the page. I have tried to debug this, but the problem is that the server only requests the client certificate after the browsers sends the GET statement. So, the first (readable) handshake is without client certificates. The renegotiation that happens after the GET is encrypted and I cannot see the problem. I am guessing this is an IIS issue, but I cannot prove it. Has anyone else seen this? Any ideas? Thanks, Richie PS: please Cc me when replying to the newsgroup -- Yes, that *is* my E-mail address
