Hello,
I'm not really familiar with the two programs (selfserv and client) you
used. But I recognized some remarkable things about your configuration.
Normally a CA certificate would never be used as a ssl server
certificate. When I get the idea behind the two demo programs correct
then I would suggest to pass the self signed CA certificate to the
client program and the certificate signed by the CA to the server
program. So the client could validate the certificate that is provided
by the server.
Another problem which might lead to your error messages could be a
naming problem. If you use a real webserver like apache then the SSL
server certificate subject cn name must be conform with the webserver's
address. For example, you want to offer a https service on your local
host, then the SSL server certificate has to be issued to the subject
"localhost". If you want to offer it in your private LAN on an certain
computer then the certificate's subject has to be the computer's IP
address or domain.
I hope that would help you a little bit.
Kind regards
Flo
chenyu wrote:
Hi,
I try to run the NSS security tool (ssl test tools) (bin/selfserv.exe,
bin/client.exe). Because the X.509 is not fully understood, I don't know
where the problem is.
My operation steps are as follows:
1. create DB.
2. create one self-signed certificate for CA.
3. create a certifcate request, and sign a certifcate with the CA.
4. run "selfserv"(ssl server) with the first certificate.
5. run "client" (ssl client) with the second certificate.
The console gives me the following error information:
Launched thread in slot 0
Error in function PR_Write: -12276
- Unable to communicate securely with peer: requested domain name does not
match the server's certificate.
Error in function handle_connection: -12276
- Unable to communicate securely with peer: requested domain name does not
match the server's certificate.
Thread in slot 0 returned -1
I don't know the meaning of "domain name" here, could you give me any clue
for me to continue my reading.
Thank you in advance.
kind regards
chenyu
===========================
self-signed cerficate ASCII
C:\Documents and Settings\chenyu>certutil -L -d c:\test -n johnsmith
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2147307083 (0x7ffd4e4b)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer:
"CN=My Issuer"
Validity:
Not Before: Sun Sep 04 04:15:56 2005
Not After : Sun Dec 04 04:15:56 2005
Subject:
"CN=John"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
96:e4:46:d1:9a:b7:17:15:26:7b:ab:ba:3f:bd:7d:7a:
7e:db:c7:3b:f8:26:0f:f9:24:ed:07:60:af:04:72:8f:
b5:b2:c3:6a:94:22:ae:5d:eb:cc:ee:76:bc:db:3f:d6:
0a:33:d9:f1:6d:db:5e:b4:c9:7e:c9:02:6c:58:23:c0:
f5:79:f9:17:9e:24:61:70:5c:a5:61:e8:58:c8:4e:06:
01:39:b2:67:24:d5:cc:e0:f6:4a:e6:d1:bc:f1:a0:6e:
a6:9c:1b:39:66:40:42:01:94:d2:0a:81:61:32:d1:54:
2f:b9:ab:e1:4c:69:fb:04:e6:32:0e:1f:ce:77:f8:19
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
a2:3b:3d:2e:1b:b7:6a:ff:a3:1e:76:d1:c6:1e:a9:fa:
6b:41:5e:b6:7c:da:3f:27:cd:e9:7f:ec:51:97:8d:82:
5e:e9:bc:3f:c4:ff:30:6e:f5:a8:09:ae:0f:47:bd:bf:
fc:79:5b:56:cb:6e:1a:e5:0d:13:11:90:00:5b:e2:14:
82:31:06:da:18:4f:03:8b:57:2d:c4:fe:6d:3f:8c:1e:
1c:61:9b:bc:07:e1:6a:1a:dd:d9:e0:63:43:8f:a8:a5:
af:a1:aa:7e:ca:cf:bf:54:41:6d:2a:1a:24:61:7c:ac:
7d:c2:12:9b:fd:6e:81:b5:ba:72:0a:37:2d:fb:b3:de
Fingerprint (MD5):
AA:9C:DC:38:21:84:8B:CA:7C:74:A4:03:73:7E:CF:22
Fingerprint (SHA1):
4A:9C:77:AC:9A:15:B6:6E:CD:79:87:47:35:EA:05:CE:79:CB:FA:2C
Certificate Trust Flags:
SSL Flags:
Valid Peer
Trusted
User
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
===========================
client certificate
C:\Documents and Settings\chenyu>certutil -L -d c:\test -n myissuer
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1234 (0x4d2)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer:
"CN=My Issuer"
Validity:
Not Before: Sun Sep 04 04:03:44 2005
Not After : Sun Dec 04 04:03:44 2005
Subject:
"CN=My Issuer"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b3:fc:84:54:db:40:23:f2:f2:d5:30:19:03:de:ec:53:
51:25:81:f9:58:a2:e4:bf:32:fe:0a:28:ca:0f:81:5c:
a5:c3:fa:81:be:72:4d:c2:a8:80:ca:93:11:44:4f:91:
17:50:d1:07:16:17:0c:b4:e7:42:9c:4f:5d:85:9f:f8:
91:62:bd:6b:18:68:11:4e:f5:54:95:6a:43:67:83:21:
13:ee:83:e8:9c:4d:13:90:f1:96:65:a1:06:25:67:e5:
37:ac:41:bf:ec:87:09:e2:d4:4b:a7:bb:91:33:5e:23:
e8:5a:5a:8e:99:04:bb:ad:a9:a1:84:3d:6d:50:13:87
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Type
Data: <SSL Client,SSL Server,S/MIME,Object Signing,Reserved,SSL
CA,
/MIME CA,ObjectSigning CA>
Name: Certificate Basic Constraints
Data: Is a CA with a maximum path length of 3.
Name: Certificate Key Usage
Data:
fe
(1 least significant bits unused)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
60:a1:0e:cc:92:b4:46:2b:de:93:82:bf:03:a0:b7:dd:
b8:59:0b:20:38:c4:38:4d:f4:b8:bb:d7:a1:ab:c7:ea:
f1:2c:4b:7a:69:21:b6:12:1b:72:73:d0:d9:ab:9c:c1:
ea:41:9a:fa:c9:29:a3:b5:6b:23:c5:12:b4:0b:0a:0c:
a7:90:44:10:2d:4d:f5:0e:e6:6c:b8:8c:f0:e9:1f:4a:
f1:84:d1:f1:21:3a:dc:dd:b3:b8:80:d3:9b:0a:94:6d:
fa:cf:80:86:d0:ae:89:b1:6b:d2:b6:4a:17:0c:8c:9f:
d7:42:42:60:ca:d7:56:87:f2:7b:49:99:1a:e3:f5:5d
Fingerprint (MD5):
0C:3E:1E:D3:A5:88:BC:9B:8B:76:AC:B0:76:8D:19:4B
Fingerprint (SHA1):
F2:1E:EC:8D:70:0F:77:82:CD:0F:6E:89:E3:93:82:E4:BD:6C:CC:04
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
