[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] ServerCertificate and intermediate CA certs

To: <martin.rex@xxxxxxx>, <tls@xxxxxxxx>
Subject: Re: [TLS] ServerCertificate and intermediate CA certs
From: "Bentkofsky, Michael" <MBentkofsky@xxxxxxxxxxxx>
Date: Wed, 2 Apr 2008 10:45:03 -0400
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <200804021421.m32ELfx5001291@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces@xxxxxxxx
Thread-index: AciUzPvieTACPgePTeGSnoR9NoNHAwAAdu/Q
Thread-topic: [TLS] ServerCertificate and intermediate CA certs

Martin,

I believe the instructions you seek are posted on VeriSign's web site,
specifically on how to configure Apache:
https://knowledge.verisign.com/support/ssl-certificates-support/index?pa
ge=content&id=AR193 and
https://knowledge.verisign.com/support/ssl-certificates-support/index?pa
ge=content&id=AR158.

I'd also direct you to the VeriSign information on the recent use of an
Intermediate CA:
https://knowledge.verisign.com/support/ssl-certificates-support/index?pa
ge=content&id=AR212.

Mike

> -----Original Message-----
> From: tls-bounces@xxxxxxxx [mailto:tls-bounces@xxxxxxxx] On 
> Behalf Of Martin Rex
> Sent: Wednesday, April 02, 2008 10:22 AM
> To: tls@xxxxxxxx
> Subject: [TLS] ServerCertificate and intermediate CA certs
> 
> I just received a request for help with an SSL interopability 
> problem that a colleague encountered.  He observed that the 
> server certificate validation failed, reporting an incomplete 
> certificate chain when he tried to connect to an (apparently 
> Apache) Web-Server.
> 
> He had configured the "Verisign Class 3 Public Primary CA" as 
> trusted, and the Server only sends the Server cert, but fails 
> to include the intermediate CA cert (VeriSign Class 3 Secure 
> Server CA).
> 
> In my reading of SSLv3->TLSv1.1 that is an obvious and 
> serious violation of the protocol spec.  Omitting the 
> self-signed root certificate and the end of the servers 
> certificate chain from the ServerCertificate message is 
> OK/allowed, but omitting intermediate CAs is definitely NOT 
> allowed by the spec.
> 
> IMHO, the SSL/TLS stack ought to enforce that the certificate 
> chain in the ServerCertificate message is correct, i.e. omits 
> at most a self-signed root certificate, but NEVER any 
> intermediate CAs and not even start an SSL handshake if that 
> prerequisite can not be determined.
> 
> Does anyone, by chance, know how/whether that problem can be 
> fixed by configuration in Apache and how (i.e. how to 
> configure Apache so that OpenSSL sends out a correct 
> certification path in the ServerCertificate message, 
> including all necessary intermediate CA certificates)?
> 
> 
> -Martin
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/tls
> 
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] ServerCertificate and intermediate CA certs
  - From: Martin Rex

Prev by Date: [TLS] ServerCertificate and intermediate CA certs
Previous by thread: [TLS] ServerCertificate and intermediate CA certs
Index(es):
- Date
- Thread