Re: netscape and certificate chains

Sun, 30 Apr 2000 06:02:34 -0700 

Hovav Shacham wrote:
> 
> Hello, all --
> 
> According to both the SSL3 draft and TLS, a server can send a chain of
> certificates, beginning with its own and leading towards a root CA.
> Posts by Netscape engineers (seen on Dejanews) strongly suggest that
> Netscape Communicator can handle chains.
> 
> I tried to get chains working on the https server I'm writing (with
> OpenSSL 0.9.5), using what seemed like the obvious methods -- either
> SSL_CTX_add_extra_chain_cert(), or SSL_CTX_get_cert_store() and
> X509_STORE_add_cert().  IE5 correctly handles and displays the
> certificate chain, but Netscape (4.72 for Win32 and 4.51 for Linux)
> comes back with an error dialog:
> 
>     The security library has encountered an improperly formatted
>     DER-encoded message.
> 
> Netscape behaves the same way even if I serve the certificates to it
> using mod_ssl (2.6.3, for Apache 1.3.12) and its
> SSLCertificateChainFile setting.
> 
> But Netscape definitely *can* handle chains; for example,
> https://enigma.barclaycard.co.uk , which, not surprisingly, is served
> with Netscape Enterprise Server.  It's simply not reacting well to
> OpenSSL-sent certificate chains.
> 
> I examined the entrails (using ``s_client -ssl3 -debug'') from
> connecting locally and to Barclays, and both server-certificate
> messages look correct to me as far as field lengths and so on.  I must
> admit I'm stumped.
> 
> Has anyone had success with sending certificate chains to Netscape
> clients?
> 

Firstly upgrade to OpenSSL 0.9.5a.

How many certificates are in the chain? If its only two then there's no
point because the root will have to be in the browser anyway. If its
more than two then is the chain valid in terms of certificate
extensions?

It has been reported that some versions of Netscape have problems if the
root CA is included in the chain. Try excluding the root.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to