[techtalk] SSL certificates

Almut Behrens almut_behrens at yahoo.com
Fri May 25 22:37:58 EST 2001 

On Fri, May 25, 2001 at 11:57:17AM -0400, Michelle Murrain wrote:
> On Friday 25 May 2001 11:20 am, Julie Meloni wrote:
> > > I did finally get apache-ssl to work fine, but for some reason that is
> > > not apparent to me, Internet explorer (not netscape, not opera) says that
> > > the "identity certificate is invalid".
> >
> > There are a nice set of IE/SSL bugs.  If you thought the initial SSL
> > documentation was....interesting, don't even try to track down the
> > various permutations of IE/SSL bugs and bug fixes.  Let your friends
> > help.  It will save you some bald patches in your head.
> >
> > Can you post the version of Apache, mod_ssl, openssl that you're using,
> > as well as any other platform info that may be relevant?  Also, a nice
> > little snippet of the ssl error log would also be helpful.
> 
> I'm running apache-ssl, not apache with mod_ssl (would that be a better 
> choice?)
> 
> Server: Debian potato
> Version of apache-ssl: 1.3.9.13-2    
> 
> Method of installation: apt-get.
> 
> Openssl version: 0.9.6-0.potato.4  
> 
> The error log: this simple:
> [Fri May 25 11:54:26 2001] [error] SSL_accept failed  


just a few questions and ideas -- don't know whether that'll be of
much help, though.

Could it be that any two certificates issued by your CA (e.g.
server-cert, client-cert) do have the same serial number? (The idea
here is that the combination of issuer name + serial number must be
unique.)
I remember very dimly that there was a thread on the openssl
mailinglist about a similar issue a while back. I tried to look it up
in the archives, but somehow couldn't find it  (if you would like to
give it a try yourself, you could look here:
http://marc.theaimsgroup.com/?l=openssl-users&r=1&w=2 )

IIRC, the problem was that IE tries to verify this issuer+serialnumber
uniqueness, while Netscape and others do not. So if you do have
identical SNs, IE would actually behave correctly (this is one of the
very few exceptions to the rule (the rule being, that, if something
with SSL doesn't work, blame IE first :) )
My memory may be completely wrong, though ;)

You can display the textual content of the certificates with

openssl x509 -in <certificate.pem> -noout -text

In the output you should find the issuer and serial number.
If it's in .p12 format (as used by Netscape), you should first do:

openssl pkcs12 -in <file.p12> -clcerts -out <certificate.pem>

(or look directly at the original .pem file if you still have it around)

(also, the .pem files may have the clear-text embedded...)


BTW, am I right assuming that you roughly did the following:

* set up your own CA with a self-signed root certificate

  (did you use openssl's CA.pl script for that?)

* created your server key-pair, CSR (certificate signing
  request), and signed it with your CA to generate your
  own server certificate, and installed both key and
  certificate on the server side

  (or do you have an official server certificate issued
  by VeriSign, Thawte or some such?)
  
* created your client key-pair, CSR, and signed it to
  generate the client certificate, converted it to
  pkcs12 format, and imported it into the browser

* installed the CA root certificate in the browser
  (only required if you don't have an official server
  ceritifcate)


Other questions:

* when does the error message "identity certificate is invalid"
exactly pop up?

* can you set the SSL loglevel to some higher verbosity when
using Apache-SSL?  (mod_ssl can be made very talkative...)
This might help to locate more precisely where things are going
wrong.

* did I get you right that only IE doesn't work, but NS and Opera do,
or have you only tried IE?
(sorry for the stupid question, but your initial post can be read
both ways -- at least it wasn't quite clear to me ;)

BTW, if you want my opinion on Apache-SSL vs. Apache + mod_ssl,
I'd say, go for mod_ssl (with slight preference only, actually).
The underlying concept with Apache-SSL basically is "stability through
simplicity" -- so 'no bells and whistles'. There's basically nothing
wrong with this concept, it's just that the bells and whistles can
be quite useful at times... (no flames, please!)


- Almut  (asking herself why she can't write short replies)

More information about the Techtalk mailing list