Nelson B wrote: > Ingo Kappler wrote: >> >> For secure mail connections I use a selfsigned certificate on the server, >> created with openssl. > > Here's the full story. > ......
Thank-you for the detailed description. > If you want your cert to be both self signed and self identified, then > you'll have to fix it to have these properties. I will do so. >> It works for my needs with netscape 6.2 and kmail and >> other programs, except mozilla 1.0 and netscape 7. > >> I get an error message saying it couldn`t establish a secure connection >> for the cert might be destroyed or not usable with error-code -8182. > > Right, Your cert apparently is not really self signed. The signature > really does not verify using the public key in that same cert. Mozilla > is now complaining about that. > >> What has changed? > > What has changed is that a new bug in mozilla causes mozilla to think > that your cert IS self-issued, when it really isn't. Mozilla's check > for a self-signed cert is not presently paying attention to the authority > key identifier. It's ignoring condition 2. Since your certificate meets > condition 1, mozilla now thinks your cert is self-issued, and therefore > expects it to be self-signed, which it apparently isn't. When mozilla > checks the signature on the cert with the cert's public key, it finds > the signature is invalid, and so it complains. > > Mozilla treats the invalid signature error differently from most other > cert errors. After most other cert errors, mozilla gives you the > chance to accept the cert anyway and continue with SSL, storing the cert > in your list of certs for trusted web servers, but when the certificate's > signature is invalid, mozilla doesn't give you that option. That's > certainly an inconsistency, and I think it's a bug. > > I have filed two new bugs against mozilla's security components for these > two issues. > http://bugzilla.mozilla.org/show_bug.cgi?id=157218 > http://bugzilla.mozilla.org/show_bug.cgi?id=157224 Thanks for filling up the bugs. > In the meantime, you can change your cert so that it works with any > version of mozilla or communicator. You could do any of the following: > > 1. issue your server a new cert that does not meet condition 1 of being > self issued. In other words, issue a new cert that appears to have been > issued by a cert with a different subject name, one that doesn't exist. > That cert will behave exactly the same way with N7 that your old cert > behaved with old versions of N6. > > or > > 2. issue your server a new cert that really is self-signed and really is > self-issued. I don't know why your present certificate isn't really > self signed. Since you made it with OpenSSL, you'll have to ask some > OpenSSL folks what to do differently to be self signed. As for being > self issued, I suggest you simply leave off the authority and subject > key ID extensions from the cert. > > Either way, be sure you don't issue a new cert with the same issuer and > serial number as you've used before. Be sure your new certs all have new > and unique serial numbers. Otherwise, you'll run into more troubles. Again, Thank-you. Regards, Ingo Kappler >> Thanks Ingo > > -- > Nelson B > (Please don't reply to this email address. Please reply to the > newsgroup.)
