Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
Daniel, Daniel Kluge wrote: IE stores not only the root certificates, but also all intermediate certificates, hence it is successful in putting together the certificate chain. IE is only successful in putting together the full cert chain if it already has a copy of the intermediate CA cert stored in its cert database. This can only be done if you have previously visited another secure server that was correctly configured and sent the entire cert chain. This has the effect of hiding IE users the misconfiguration of the server visited the second time, which failed to send part of the cert chain, namely the intermediate CA. And actually as far as the size of those go, a collection of root certificates is much much bigger, than the one with the intermediate certificates, so the bloat theory doesn't quite hold water. That simply isn't true, the potential for bloat is there. Each root CA can issue any number of intermediate CAs, which could issue more, and so forth. The potential growth of the PKI tree is exponential, depending on which sites you visit. It is true that the bloat doesn't exist today, because most CAs only use a few or no intermediate CA certs. However, that may not be the case tomorrow when PKI becomes more widely deployed. -- Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too. Linux-Kernel archive
Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
Just to keep this thread alive (well sort of), I'm updating with my current status on this issue. Robert Relyea wrote: My guess is the certificate in question is a secondary CA signed by a primary. The problem is that gtoc.iss.net is probably misconfigured. It should send the secondary certificate with it's server certificate. Their misconfiguration is masked on IE because IE throughs every CA cert it finds into it's permament certificate store. Correct on the first, wrong on the second. IE stores not only the root certificates, but also all intermediate certificates, hence it is successful in putting together the certificate chain. And actually as far as the size of those go, a collection of root certificates is much much bigger, than the one with the intermediate certificates, so the bloat theory doesn't quite hold water. The Trusted CA Store from IE has 114 entries, all self-signed, the intermediated CA store has 12 entries. Daniel Kluge wrote: Hello there, I was just visiting https://gtoc.iss.net/, which gives me an 'Unknown Certificate Signer' or so error. Turns out that the site's SSL Certificate is signed by a Verisign CA Certificate that is not known to Mozilla. The Certificate in question is OU = VeriSign International Server CA - Class 3. Now I said, 'appears' above, since I've run into several problems: 1. The Mozilla Certificate Manager doesn't seem to allow you to export certifiactes, IE does. 2. The certs are stored in a undocumented proprietary format (certs7.db) 3. For above database, I didn't find the utility (certutil), and I don't have the time to configure and build NSS/NSPR/world, so I have my own copy of certutil. Since the operation you are asking for is 'import', I presume you meant import in '1.' above. I also presume you mean only of CA certificates, since you can clearly import/export user certificates from the 'my certs' tab. Nope, I wanted to export the certificates, to have a look at them... To import Certs in mozilla, you simply need to 'read' them as a mime message. I believe mozilla maps file with the extensions 'cacert' and 'cert' to the correct mime times. You can also download certutil from one of the NSS releases at ftp://ftp.mozilla.org/pub/security/nss/releases . Certutil will allow you to import or export any certificate from your cert database. I sort of tried that, after downloading a huge NSS release, and then finding a sort of matching NSPR release, I got some nice coredumps from certutil If my above theory is correct you will not have to add any trust values to the cert, simply importing the cert should be sufficient. I'll try do that, as soon as I get my preference panel back, Mozilla1.0RC2 Netscape7PR1 do not play very nice at the moment... Of course to make matters more interresting, I have not yet been able to find the cert in question on Verisign's Web-Site, they are quite good at hiding the usefull information. I just found a PDF file which lists the Cert in question... I could extract the certificate from my dump of IE's certificate (PKCS#7 format), but what do I do then with it? To import it I'd neet certutil again... try naming it verisign3.cacert and opening it using 'open file'. See above, as soon as I get my preference back. Cheers, -daniel
Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
Kai Engert wrote: There is yet another way to do it. If you can configure your web server, change the mime type your server gives out. By doing so you can download certs over the web. Exactly! That is the way I will do it. Simple but effective. Thanks!
Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
I don't believe SSL ever had an RFC defining the protocol. RFC 2246 does define TLS Proto Version 1.0. In the handshake message descriptions is: Section 7.4.2. Server certificate ... certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. ... Looks like only the self-signed root may be ommitted (in TLS). Darned if I can find the SSL specs I downloaded from Netscape so long ago. Victor Probo Dave Roberts wrote: The system believed it was 4/30/2002 11:27 PM, when Julien Pierre typed: The SSL protocol specifies that the server must present its entire certificate chain to the client, but this server is not doing Are you sure about this? I'm working from memory here, but I thought the SSL spec did not mandate that the whole chain needed to be sent. (I'll try to look it up later). It would be logical however to supply any intermediate CA's as the client may not have those on record, but the root CA should not have to be sent - particularly if it's a known CA. AIUI Microsoft's IIS only supplies the end certificate by default. Not that that has any bearing on standards at all. :) - Dave.
Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
Victor Probo wrote: Darned if I can find the SSL specs I downloaded from Netscape so long ago. http://www.openssl.org/related/ssl.html Google is your friend :-)
Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
Ben Bucksch wrote: Victor Probo wrote: Darned if I can find the SSL specs I downloaded from Netscape so long ago. http://www.openssl.org/related/ssl.html The link given on that page is for the very first draft of the SSL v3 protocol spec. That draft does not represent the final protocol as presently implemented in many products. The final draft of the SSL v3 protocol spec may be found at http://home.netscape.com/eng/ssl3/draft302.txt It's been there since it was first published. -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
To import Certs in mozilla, you simply need to 'read' them as a mime message. I believe mozilla maps file with the extensions 'cacert' and 'cert' to the correct mime times. Sorry! No, mozilla does not recognize cacert or cert and reading as a mime-message does not work either ! My mistake on the first account. I thought cacert mappings were set up be default. You can enable this by doing the following: goto Preferences-Navigator-Helper Applications Click on New Type.. Fill in the following fields: Descripty of type: CA Cert File Extension: cacert MIME type: application/x-x509-ca-cert Leave the last field blank. Now you can click on a .cacert file in your filesystem and it will load it as a ca cert. This whole thing should be made much easier. If you do this you can see most of the code is already built into the browser -- it just needs to be turned on.
Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
Christian, Christian Schulte wrote: Robert Relyea wrote: My guess is the certificate in question is a secondary CA signed by a primary. The problem is that gtoc.iss.net is probably misconfigured. It should send the secondary certificate with it's server certificate. Their misconfiguration is masked on IE because IE throughs every CA cert it finds into it's permament certificate store. Daniel Kluge wrote: Hello there, I was just visiting https://gtoc.iss.net/, which gives me an 'Unknown Certificate Signer' or so error. This is a problem with the https://gtoc.iss.net SSL server configuration. We see a lot of these misconfigured servers these days. That server does not transmit the full certificate chain, from leaf cert (SSL server cert with a subject of gtoc.iss.net) to the root Verisign cert, and the intermediate verisign certificate. Unlike IE, Netscape Communicator and Mozilla do not save the intermediate certificates into the database, in order not to grow the database indefinitely every time you visit a new SSL web site. Only the root certificates are kept persistently (and actually they are now in a PKCS#11 module). The SSL protocol specifies that the server must present its entire certificate chain to the client, but this server is not doing so, and therefore Mozilla cannot verify it. This not a mozilla bug. The solution is for the system administrator to correct the server configuration. -- Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too. Linux-Kernel archive
