Nelson B wrote:

> Ingo Kappler wrote:
>> 
>> For secure mail connections I use a selfsigned certificate on the server,
>> created with openssl.
> 
> Here's the full story.
> ......

Thank-you for the detailed description.

> If you want your cert to be both self signed and self identified, then
> you'll have to fix it to have these properties.

I will do so.

>> It works for my needs with netscape 6.2 and kmail and
>> other programs, except mozilla 1.0 and netscape 7.
> 
>> I get an error message saying it couldn`t establish a secure connection
>> for the cert might be destroyed or not usable with error-code -8182.
> 
> Right,  Your cert apparently is not really  self signed.  The signature
> really does not verify using the public key in that same cert.  Mozilla
> is now complaining about that.
> 
>> What has changed?
> 
> What has changed is that a new bug in mozilla causes mozilla to think
> that your cert IS self-issued, when it really isn't.  Mozilla's check
> for a self-signed cert is not presently paying attention to the authority
> key identifier.  It's ignoring condition 2.  Since your certificate meets
> condition 1, mozilla now thinks your cert is self-issued, and therefore
> expects it to be self-signed, which it apparently isn't.  When mozilla
> checks the signature on the cert with the cert's public key, it finds
> the signature is invalid, and so it complains.
> 
> Mozilla treats the invalid signature error differently from most other
> cert errors.  After most other cert errors, mozilla gives you the
> chance to accept the cert anyway and continue with SSL, storing the cert
> in your list of certs for trusted web servers, but when the certificate's
> signature is invalid, mozilla doesn't give you that option.  That's
> certainly an inconsistency, and I think it's a bug.
> 
> I have filed two new bugs against mozilla's security components for these
> two issues.
> http://bugzilla.mozilla.org/show_bug.cgi?id=157218
> http://bugzilla.mozilla.org/show_bug.cgi?id=157224

Thanks for filling up the bugs.

> In the meantime, you can change your cert so that it works with any
> version of mozilla or communicator.  You could do any of the following:
> 
> 1. issue your server a new cert that does not meet condition 1 of being
> self issued.  In other words, issue a new cert that appears to have been
> issued by a cert with a different subject name, one that doesn't exist.
> That cert will behave exactly the same way with N7 that your old cert
> behaved with old versions of N6.
> 
> or
> 
> 2. issue your server a new cert that really is self-signed and really is
> self-issued.  I don't know why your present certificate isn't really
> self signed.  Since you made it with OpenSSL, you'll have to ask some
> OpenSSL folks what to do differently to be self signed.  As for being
> self issued, I suggest you simply leave off the authority and subject
> key ID extensions from the cert.
> 
> Either way, be sure you don't issue a new cert with the same issuer and
> serial number as you've used before.  Be sure your new certs all have new
> and unique serial numbers.  Otherwise, you'll run into more troubles.

Again, Thank-you.

Regards,
Ingo Kappler

>> Thanks Ingo
> 
> --
> Nelson B
> (Please don't reply to this email address.  Please reply to the
> newsgroup.)


Reply via email to