Re: Certificate problem - SOLVED
> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton > Sent: Tuesday, July 08, 2014 20:33 > On Tue, Jul 8, 2014 at 7:00 PM, Dave Thompson > wrote: > >> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton > >> Sent: Tuesday, July 08, 2014 16:20 > > ... > >> Not sure if this is any consolation, but countryName is a > >> DirectoryString, and PrintableString is OK per RFC 5280 > >> (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): > > > > Actually it's not. 4.1.2.4 Issuer says Name.RDN.AVA values are > > 'generally' DirectoryString, but see appendix A on p115: > > countryName is PrintableString size(2), presumably because its > > allowed values are from ISO 3166 which in turn uses ASCII letters. > So countryName is not PrintableString? > countryName IS PrintableString. countryName is specified as exactly PrintableString, unlike other fields which are specified as DirectoryString where DirectoryString is CHOICE that includes PrintableString as one option so those fields MAY BE PrintableString. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate problem - SOLVED
On Tue, Jul 8, 2014 at 7:00 PM, Dave Thompson wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton >> Sent: Tuesday, July 08, 2014 16:20 > ... >> Not sure if this is any consolation, but countryName is a >> DirectoryString, and PrintableString is OK per RFC 5280 >> (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): > > Actually it's not. 4.1.2.4 Issuer says Name.RDN.AVA values are > 'generally' DirectoryString, but see appendix A on p115: > countryName is PrintableString size(2), presumably because its > allowed values are from ISO 3166 which in turn uses ASCII letters. So countryName is not PrintableString? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate problem - SOLVED
> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton > Sent: Tuesday, July 08, 2014 16:20 > On Tue, Jul 8, 2014 at 3:39 PM, Barbe, Charles > wrote: > > I figured it out and am now wondering if there is a defect in the openssl > verify command. This suggestion from Dave Thompson: > > I would first try x509 -noout -subject|issuer -nameopt multiline,show_type > > and see if that helps. > > Pointed me in the right direction. What i found was that Issuer for > certificate A, which was the one that was NOT working, looked like this: > > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer - > nameopt multiline,show_type -in CertA.pem > > issuer= > > countryName = UTF8STRING:US > > While the issuer for certificate B and subject for my CA looked like this: > > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer - > nameopt multiline,show_type -in CertB.pem > > issuer= > > countryName = PRINTABLESTRING:US > > So it looks like openssl verify is not taking the type of countryName into > account while the browsers are. Is this expected behavior or a defect? > > > Not sure if this is any consolation, but countryName is a > DirectoryString, and PrintableString is OK per RFC 5280 > (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): Actually it's not. 4.1.2.4 Issuer says Name.RDN.AVA values are 'generally' DirectoryString, but see appendix A on p115: countryName is PrintableString size(2), presumably because its allowed values are from ISO 3166 which in turn uses ASCII letters. Similarly dnQualifier is PrintableString and emailAddress is IA5String. > >DirectoryString ::= CHOICE { > teletexString TeletexString (SIZE (1..MAX)), > printableString PrintableString (SIZE (1..MAX)), > universalString UniversalString (SIZE (1..MAX)), > utf8String UTF8String (SIZE (1..MAX)), > bmpString BMPString (SIZE (1..MAX)) } > > However, there is the following on page 23: > >When encoding attribute values of type DirectoryString, conforming >CAs MUST use PrintableString or UTF8String encoding, with the >following exceptions: > > (a) When the subject of the certificate is a CA, the subject >field MUST be encoded in the same way as it is encoded in the >issuer field (Section 4.1.2.4) in all certificates issued by >the subject CA. Thus, if the subject CA encodes attributes >in the issuer fields of certificates that it issues using the >TeletexString, BMPString, or UniversalString encodings, then >the subject field of certificates issued to that CA MUST use >the same encoding. > > So the DirectoryString must be the same type. You can't make it > utf8String in the server certificate's issuer and PrintableString in > the CA's subject. > 4.1.2.4 says name matching should use the rules in 7.1, which allow 'insignifcant' variations in the string values, and doesn't say anything specific I can find about the encoding. I'm not sure if X.509/X.has quite the same rules, or if CA's have historically done so (for certs that might still be usable). OpenSSL is generally pretty Postelian in accepting slightly 'broken' protocols and data to maximize interoperability. But 1.0.2 is slated to enhance chain validation, and checks like this might fit in there better than in the past "flag bits that always run out" approach. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate problem - SOLVED
On Tue, Jul 8, 2014 at 4:48 PM, Barbe, Charles wrote: > Also don't these lines of the spec: > > countryName ATTRIBUTE ::= { > WITH SYNTAX PrintableString (SIZE (2)) > -- IS 3166 codes only > ID id-at-countryName } > > indicate that countryName is restricted to the PrintableString (SIZE (2)) > type which is a restricted subset of DirectoryString? > That may apply. I see it under "A.1. Explicitly Tagged Module, 1988 Syntax", but I'm not sure what the introduction is telling me in Appendix A. If it matters... looking at CA and server certificates I created using OpenSSL's API (a few months ago) show the country code is PRINTABLESTRING in both. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Certificate problem - SOLVED
Also don't these lines of the spec: countryName ATTRIBUTE ::= { WITH SYNTAX PrintableString (SIZE (2)) -- IS 3166 codes only ID id-at-countryName } indicate that countryName is restricted to the PrintableString (SIZE (2)) type which is a restricted subset of DirectoryString? Charles A. Barbe Senior Software Engineer Allworx, a Windstream company 245 East Main St | Rochester NY | 14604 charles.ba...@allworx.com | 585.421.5565 From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Barbe, Charles [charles.ba...@allworx.com] Sent: Tuesday, July 08, 2014 4:44 PM To: openssl-users@openssl.org Subject: RE: Certificate problem - SOLVED Yet openssl verify said OK to both of my certificates against the CA certificate... so is it incorrectly neglecting to compare the types when it tries to build the chain of certificates? Charles A. Barbe Senior Software Engineer Allworx, a Windstream company 245 East Main St | Rochester NY | 14604 charles.ba...@allworx.com | 585.421.5565 From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Jeffrey Walton [noloa...@gmail.com] Sent: Tuesday, July 08, 2014 4:19 PM To: OpenSSL Users List Subject: Re: Certificate problem - SOLVED On Tue, Jul 8, 2014 at 3:39 PM, Barbe, Charles wrote: > I figured it out and am now wondering if there is a defect in the openssl > verify command. This suggestion from Dave Thompson: > I would first try x509 -noout -subject|issuer -nameopt multiline,show_type > and see if that helps. > Pointed me in the right direction. What i found was that Issuer for > certificate A, which was the one that was NOT working, looked like this: > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CertA.pem > issuer= > countryName = UTF8STRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > While the issuer for certificate B and subject for my CA looked like this: > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CertB.pem > issuer= > countryName = PRINTABLESTRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CA.pem > issuer= > countryName = PRINTABLESTRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > So it looks like openssl verify is not taking the type of countryName into > account while the browsers are. Is this expected behavior or a defect? > Not sure if this is any consolation, but countryName is a DirectoryString, and PrintableString is OK per RFC 5280 (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) } However, there is the following on page 23: When encoding attribute values of type DirectoryString, conforming CAs MUST use PrintableString or UTF8String encoding, with the following exceptions: (a) When the subject of the certificate is a CA, the subject field MUST be encoded in the same way as it is encoded in the issuer field (Section 4.1.2.4) in all certificates issued by the subject CA. Thus, if the subject CA encodes attributes in the issuer fields of certificates that it issues using the TeletexString, BMPString, or UniversalString encodings, then the subject field of certificates issued to that CA MUST use the same encoding. So the DirectoryString must be the same type. You can't make it utf8String in the server certificate's issuer and PrintableString in the CA's subject. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
RE: Certificate problem - SOLVED
Yet openssl verify said OK to both of my certificates against the CA certificate... so is it incorrectly neglecting to compare the types when it tries to build the chain of certificates? Charles A. Barbe Senior Software Engineer Allworx, a Windstream company 245 East Main St | Rochester NY | 14604 charles.ba...@allworx.com | 585.421.5565 From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Jeffrey Walton [noloa...@gmail.com] Sent: Tuesday, July 08, 2014 4:19 PM To: OpenSSL Users List Subject: Re: Certificate problem - SOLVED On Tue, Jul 8, 2014 at 3:39 PM, Barbe, Charles wrote: > I figured it out and am now wondering if there is a defect in the openssl > verify command. This suggestion from Dave Thompson: > I would first try x509 -noout -subject|issuer -nameopt multiline,show_type > and see if that helps. > Pointed me in the right direction. What i found was that Issuer for > certificate A, which was the one that was NOT working, looked like this: > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CertA.pem > issuer= > countryName = UTF8STRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > While the issuer for certificate B and subject for my CA looked like this: > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CertB.pem > issuer= > countryName = PRINTABLESTRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CA.pem > issuer= > countryName = PRINTABLESTRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > So it looks like openssl verify is not taking the type of countryName into > account while the browsers are. Is this expected behavior or a defect? > Not sure if this is any consolation, but countryName is a DirectoryString, and PrintableString is OK per RFC 5280 (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) } However, there is the following on page 23: When encoding attribute values of type DirectoryString, conforming CAs MUST use PrintableString or UTF8String encoding, with the following exceptions: (a) When the subject of the certificate is a CA, the subject field MUST be encoded in the same way as it is encoded in the issuer field (Section 4.1.2.4) in all certificates issued by the subject CA. Thus, if the subject CA encodes attributes in the issuer fields of certificates that it issues using the TeletexString, BMPString, or UniversalString encodings, then the subject field of certificates issued to that CA MUST use the same encoding. So the DirectoryString must be the same type. You can't make it utf8String in the server certificate's issuer and PrintableString in the CA's subject. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate problem - SOLVED
On Tue, Jul 8, 2014 at 3:39 PM, Barbe, Charles wrote: > I figured it out and am now wondering if there is a defect in the openssl > verify command. This suggestion from Dave Thompson: > I would first try x509 -noout -subject|issuer -nameopt multiline,show_type > and see if that helps. > Pointed me in the right direction. What i found was that Issuer for > certificate A, which was the one that was NOT working, looked like this: > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CertA.pem > issuer= > countryName = UTF8STRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > While the issuer for certificate B and subject for my CA looked like this: > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CertB.pem > issuer= > countryName = PRINTABLESTRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CA.pem > issuer= > countryName = PRINTABLESTRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName= UTF8STRING:view > So it looks like openssl verify is not taking the type of countryName into > account while the browsers are. Is this expected behavior or a defect? > Not sure if this is any consolation, but countryName is a DirectoryString, and PrintableString is OK per RFC 5280 (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) } However, there is the following on page 23: When encoding attribute values of type DirectoryString, conforming CAs MUST use PrintableString or UTF8String encoding, with the following exceptions: (a) When the subject of the certificate is a CA, the subject field MUST be encoded in the same way as it is encoded in the issuer field (Section 4.1.2.4) in all certificates issued by the subject CA. Thus, if the subject CA encodes attributes in the issuer fields of certificates that it issues using the TeletexString, BMPString, or UniversalString encodings, then the subject field of certificates issued to that CA MUST use the same encoding. So the DirectoryString must be the same type. You can't make it utf8String in the server certificate's issuer and PrintableString in the CA's subject. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Certificate problem - SOLVED
I figured it out and am now wondering if there is a defect in the openssl verify command. This suggestion from Dave Thompson: I would first try x509 -noout -subject|issuer -nameopt multiline,show_type and see if that helps. Pointed me in the right direction. What i found was that Issuer for certificate A, which was the one that was NOT working, looked like this: [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt multiline,show_type -in CertA.pem issuer= countryName = UTF8STRING:US stateOrProvinceName = UTF8STRING:New York organizationName = UTF8STRING:Allworx Corp, a Windstream Company commonName= UTF8STRING:view While the issuer for certificate B and subject for my CA looked like this: [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt multiline,show_type -in CertB.pem issuer= countryName = PRINTABLESTRING:US stateOrProvinceName = UTF8STRING:New York organizationName = UTF8STRING:Allworx Corp, a Windstream Company commonName= UTF8STRING:view [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt multiline,show_type -in CA.pem issuer= countryName = PRINTABLESTRING:US stateOrProvinceName = UTF8STRING:New York organizationName = UTF8STRING:Allworx Corp, a Windstream Company commonName= UTF8STRING:view So it looks like openssl verify is not taking the type of countryName into account while the browsers are. Is this expected behavior or a defect? Again, thanks for all the help everybody! CHAD From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Dave Thompson [dthomp...@prinpay.com] Sent: Monday, July 07, 2014 4:03 PM To: openssl-users@openssl.org Subject: RE: Certificate problem > From: owner-openssl-us...@openssl.org On Behalf Of Barbe, Charles > Sent: Sunday, July 06, 2014 22:42 > I have the following certificates and associated private keys: > > A - certificate A generated with one version of my software not using openssl > B - certificate B generated with a new version of my software that does use > openssl > CA - a local certificate authority whose private key is used to sign both A and > B > > I can verify both A and B using openssl verify using CA as the cafile argument. > > However, when I install CA on a client and try to connect a web browser to > my server running the two different versions of software, they complain that > they cannot find the issuer with A but not with B. > > I have examined both certificates and cannot find anything different about > them. As far as I can tell, the only difference is that B used openssl to > generate the certificate and A used our own custom software. The odd thing > to me is that openssl verify can verify both just fine. What are the web > browsers doing different? I've tried chrome, Firefox and opera and all > behave the same... Accepting B and rejecting A. > > Does anybody have any suggestions on where to look to figure this out? A > tool to use? > You are installing in the correct placeS which can be different per browser, right? The only thing that springs to mind that could be invisible is string types and some options of the cert Issuer fields vs the CA Subject. RFC 5280 requires a fairly complicated Unicode-aware comparison algorithm which I believe openssl does (it definitely canonicalizes before comparison, but I haven't gone through the canonicalization to make sure it exactly matches the RFC); browsers might not do the same (perhaps indirectly) although I'd be surprised if NONE do. I would first try x509 -noout -subject|issuer -nameopt multiline,show_type and see if that helps. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org CA.pem Description: CA.pem CertA.pem Description: CertA.pem
Re: certificate problem :-( (solved)
Hi Erik, thanks for replying. I received your mail but not via the list - it hasn't appeared there (yet) ... Problem solved: As usual it was annoyingly simple (and embarassing). I was assuming that when I did a "make certificate" the certificate in "/www/conf" would be altered, but it wasn't. After your mail I intensified my efforts and after copying /usr/src/apache/conf/... to /www/conf it worked! Barry - On Mon, 19 Jul 1999 14:54:07 -0700 (PDT), Erik Kline wrote: >in case you're not on the list. you should verify that the virtual name is >the same as the CN of the cert. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]