View Issue Details

IDProjectCategoryView StatusLast Update
0000735websitewebsitepublic2005-01-06 14:11
Reporterjpyeron@pdinc.us 
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformOtherOSotherOS Version
Product Versionunspecified 
Target VersionFixed in Version 
Summary0000735: ssl certificate not properly installed on the web server.
Descriptionwhen sending the *.caosity.org cert, it needs to be sent with its chain too.

from an apache ssl config

 SSLEngine on
 SSLCertificateFile /home/httpd/webmail/cert/public.crt
 SSLCertificateKeyFile /home/httpd/webmail/cert/private.key
 SSLCertificateChainFile /home/httpd/webmail/cert/ca-bundle.txt

 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
TagsNo tags attached.

Activities

lance@uklinux.net

lance@uklinux.net

2005-01-05 18:26

reporter   ~0002229

Last edited: 1970-01-01 00:00

The server is configured correctly - which particular url is causing you problems ??

Maybe you dont have the cacert root ca certificate installed ??

jpyeron@pdinc.us

jpyeron@pdinc.us

2005-01-05 22:05

reporter   ~0002230

Last edited: 1970-01-01 00:00

that should be irrelivant to this issue.

the complete certificate chain should always be transmitted.


Alice signs & sends Bob a document

Alice's cert is Signed by SubCA

SubCA's cert is signed by CA.

Bob trusts CA, therefore he can trust Alice's documents, BUT only if e can
verify the certificat chain.

If bob does not yet trust CA, then he should be able to review CA's
certificate, the policies inside, and investigate further. Bob my not trust CA
until Alice submits a document with it in the chain; this tells him that Alice
trusts CA to sign her cert and so should Bob.

In short, many people are not going to install cacert.org's cert until
caosity.org presents it.

as to the url: https://bugzilla.caosity.org/show_bug.cgi?id=735
lance@uklinux.net

lance@uklinux.net

2005-01-05 22:23

reporter   ~0002231

Last edited: 1970-01-01 00:00

I think you may have misunderstood what I was saying - your simple analogous
explanation is unecessary for me.

Exactly which part of :-

<VirtualHost 69.93.111.163:443>
     DocumentRoot "/var/www/html/bugzilla"
     ServerName bugzilla.caosity.org
     ServerAlias bugznew.caosity.org
     ServerAdmin webmaster@caosity.org
     ErrorLog logs/bugzilla-error_log
     TransferLog logs/bugzilla-access_log
     SSLEngine on
     SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
     SSLCertificateFile /etc/httpd/conf/ssl.crt/caoswild.cacert.crt
     SSLCertificateKeyFile /etc/httpd/conf/ssl.key/caoswild.key
     SSLCertificateChainFile /etc/httpd/conf/ssl.crt/cacert.pem
     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
     </Files>
     SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
     CustomLog logs/bugzilla-ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
                                                                               
                                                                             
</VirtualHost>

do you think is incorrect ??

not forgetting that there is no chain - cacert is the root ca
jpyeron@pdinc.us

jpyeron@pdinc.us

2005-01-06 00:41

reporter   ~0002232

Last edited: 1970-01-01 00:00

there is a chain:

C:\Documents and Settings\Administrator\Desktop>openssl x509 -noout -text -in
caosity.cer | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 46293 (0xb4d5)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
        Validity
            Not Before: Oct 12 22:17:43 2004 GMT
            Not After : Apr 10 22:17:43 2005 GMT
        Subject: CN=*.caosity.org

if the subject != issuer then there must be a chain,

could you please attach /etc/httpd/conf/ssl.crt/cacert.pem


jpyeron@pdinc.us

jpyeron@pdinc.us

2005-01-06 00:44

reporter   ~0002233

Last edited: 1970-01-01 00:00

Created an attachment (id=57)
example ca-bundle

this is a proper ca bundle
jpyeron@pdinc.us

jpyeron@pdinc.us

2005-01-06 00:46

reporter   ~0002234

Last edited: 1970-01-01 00:00

Created an attachment (id=58)
example cert using attachment 57
lance@uklinux.net

lance@uklinux.net

2005-01-06 01:23

reporter   ~0002235

Last edited: 1970-01-01 00:00

it is found here :-

http://www.cacert.org/certs/root.crt

jpyeron@pdinc.us

jpyeron@pdinc.us

2005-01-06 01:49

reporter   ~0002236

Last edited: 1970-01-01 00:00

what is the output of:

curl -s http://www.cacert.org/certs/root.crt | \
diff - /etc/httpd/conf/ssl.crt/cacert.pem
lance@uklinux.net

lance@uklinux.net

2005-01-06 02:12

reporter   ~0002237

Last edited: 1970-01-01 00:00

Nothing - they are the same file.


[root@caos1 ssl.crt]# curl -s http://www.cacert.org/certs/root.crt | \
> diff - /etc/httpd/conf/ssl.crt/cacert.pem
[root@caos1 ssl.crt]#

as is also shown by :-

[root@caos1 ssl.crt]# curl -s http://www.cacert.org/certs/root.crt | md5sum
fb262d55709427e2e9acadf2c1298c99 -
[root@caos1 ssl.crt]# md5sum cacert.pem
fb262d55709427e2e9acadf2c1298c99 cacert.pem

lance@uklinux.net

lance@uklinux.net

2005-01-06 02:24

reporter   ~0002238

Last edited: 1970-01-01 00:00

I may have found a problem - som eof the virtual hosts were using CAcert.pem
whcih was the wrong file - but not the bugzilla one ...

I have deleted it and corrected.
jpyeron@pdinc.us

jpyeron@pdinc.us

2005-01-06 14:03

reporter   ~0002239

Last edited: 1970-01-01 00:00

Created an attachment (id=59)
jpg of verisign website cert under view

I removed the root ca cert from my key store and went to
https://www.verisign.com

and viewed the cert.

also with the CA cert in the keystore
jpyeron@pdinc.us

jpyeron@pdinc.us

2005-01-06 14:08

reporter   ~0002240

Last edited: 1970-01-01 00:00

Created an attachment (id=60)
image caosity cert under view

this is what I get when viewing caosity

there is an error, but from what I have seen there should not be an error????

maybe I can do some more hunting, your web server is not transmitting the
ca-bundle with each ssl conection.

could it be something silly like a lack of read permissions?
jpyeron@pdinc.us

jpyeron@pdinc.us

2005-01-06 14:11

reporter   ~0002241

Last edited: 1970-01-01 00:00

sorry ignore my last to posts, I did not see the comment after md5sum

yes it is fixed

Issue History

Date Modified Username Field Change
2005-01-06 14:11 jpyeron@pdinc.us Status NEW => RESOLVED
2005-01-06 14:11 jpyeron@pdinc.us Resolution => FIXED