Fwd: kssl: certificate weirdness

Waldo Bastian bastian at kde.org
Mon Apr 5 13:18:21 BST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon April 5 2004 13:27, Waldo Bastian wrote:
> On Thu April 1 2004 22:09, Waldo Bastian wrote:
> > FYI
> >
> > ----------  Forwarded Message  ----------
> >
> > Subject: kssl: certificate weirdness
> > Date: Thu April 1 2004 21:14
> > From: Thorsten Becker <becker at rz.uni-wuerzburg.de>
> > To: kde-devel at mail.kde.org
> >
> > Hello list,
> >
> > I have encountered a problem with web server certificates and konqueror
> > in kde 3.2.1 and 3.1.5:
> > Konqueror doesn't complain when I open certain https-websites, but when I
> >  look into the security properties, it says there is a problem with an
> >  intermediate certificate.
> >
> > Steps to reproduce:
> > Import the DFN-root-certificate from http://www.dfn-pca.de/
> > (http://www.dfn-pca.de/certification/x509/g1/data/html/cacert/root-ca-cer
> >t. de r)
> >
> > In Konqueror, open:
> > https://www.uni-konstanz.de/
> > It should open without any problem since it was signed by a CA which was
> > signed by the DFN Root CA
> >
> > look at the KDE SSL Information (View -> Security).
> > In the chain, select "2 - RZ CA"
> >
> > The certificate state is shown as "Rejected, possibly due to an invalid
> > purpose"
>
> It is strange that the whole chain has been accepted nonetheless. Could it
> be that we pass the wrong purpose when the dialog checks the individual
> certificate in the chain?

Certificate [3] fails for X509_PURPOSE_SSL_SERVER
but succeeds for X509_PURPOSE_NS_SSL_SERVER

Certificate [2] fails for both X509_PURPOSE_SSL_SERVER
and X509_PURPOSE_NS_SSL_SERVER

I find that a bit strange because based on the info below, I don't see much 
difference between [2] and [3].

[1]
kssl: ---------------- Certificate ------------------
kssl: /emailAddress=webmaster at uni-konstanz.de/C=DE/ST=Baden-Wuerttemberg/L=Konstanz/O=Universitaet 
Konstanz/OU=Rechenzentrum/CN=www.uni-konstanz.de
konqueror: PURPOSE: 1
konqueror: PURPOSE: 2
konqueror: PURPOSE: 3
konqueror: PURPOSE: 4
konqueror: PURPOSE: 5
konqueror: PURPOSE: 6
konqueror: PURPOSE: 7
konqueror: PURPOSE: 7 CA
konqueror: PURPOSE: 8
kssl: flags: 100000000
keyusage: 0
xkeyusage: 0
nscert: 0
kssl:      --- Key Usage extensions NOT found
kssl:      --- Extended key usage extensions NOT found
kssl:      --- NS extensions NOT found
kssl: NOTE: this is an SSL CA file.
kssl: NOTE: this is an EMAIL CA file.
kssl: NOTE: this is a CODE CA file.
kssl: NOTE: this is an SSL client.
kssl: NOTE: this is an SSL server.
kssl: NOTE: this is a NETSCAPE SSL server.
kssl: NOTE: this is an SMIME certificate.
kssl: NOTE: this is an SMIME encrypt cert.
kssl: NOTE: this is an SMIME sign cert.
kssl: NOTE: this is a CRL signer.
kssl: -----------------------------------------------

[2]
kssl: ---------------- Certificate ------------------
kssl: /C=DE/ST=Baden-Wuerttemberg/L=Konstanz/O=Universitaet 
Konstanz/OU=Rechenzentrum/CN=RZ CA/emailAddress=rz.ca at uni-konstanz.de
konqueror: PURPOSE: 1 CA
konqueror: PURPOSE: 2 CA
konqueror: PURPOSE: 3 CA
konqueror: PURPOSE: 4 CA
konqueror: PURPOSE: 5 CA
konqueror: PURPOSE: 6
konqueror: PURPOSE: 6 CA
konqueror: PURPOSE: 7
konqueror: PURPOSE: 7 CA
konqueror: PURPOSE: 8
konqueror: PURPOSE: 8 CA
kssl: flags: 100011011
keyusage: 110
xkeyusage: 0
nscert: 111
kssl:      --- Key Usage extensions found
kssl:      --- Extended key usage extensions NOT found
kssl:      --- NS extensions found
kssl: NOTE: this is an SSL CA file.
kssl: NOTE: this is an EMAIL CA file.
kssl: NOTE: this is a CODE CA file.
kssl: NOTE: this is NOT an SSL client.
kssl: NOTE: this is NOT an SSL server.
kssl: NOTE: this is NOT a NETSCAPE SSL server.
kssl: NOTE: this is NOT an SMIME certificate.
kssl: NOTE: this is NOT an SMIME encrypt cert.
kssl: NOTE: this is NOT an SMIME sign cert.
kssl: NOTE: this is a CRL signer.
kssl: -----------------------------------------------

[3]
kssl: ---------------- Certificate ------------------
kssl: /C=DE/ST=Baden-Wuerttemberg/L=Konstanz/O=Universitaet 
Konstanz/OU=Rechenzentrum/CN=UNI-KN CA/emailAddress=ca at uni-konstanz.de
konqueror: PURPOSE: 1 CA
konqueror: PURPOSE: 2 CA
konqueror: PURPOSE: 3 CA
konqueror: PURPOSE: 4 CA
konqueror: PURPOSE: 5 CA
konqueror: PURPOSE: 6
konqueror: PURPOSE: 6 CA
konqueror: PURPOSE: 7
konqueror: PURPOSE: 7 CA
konqueror: PURPOSE: 8
konqueror: PURPOSE: 8 CA
kssl: flags: 100011011
keyusage: 110
xkeyusage: 0
nscert: 111
kssl:      --- Key Usage extensions found
kssl:      --- Extended key usage extensions NOT found
kssl:      --- NS extensions found
kssl: NOTE: this is an SSL CA file.
kssl: NOTE: this is an EMAIL CA file.
kssl: NOTE: this is a CODE CA file.
kssl: NOTE: this is NOT an SSL client.
kssl: NOTE: this is NOT an SSL server.
kssl: NOTE: this is NOT a NETSCAPE SSL server.
kssl: NOTE: this is NOT an SMIME certificate.
kssl: NOTE: this is NOT an SMIME encrypt cert.
kssl: NOTE: this is NOT an SMIME sign cert.
kssl: NOTE: this is a CRL signer.
kssl: -----------------------------------------------

[4]
kssl: ---------------- Certificate ------------------
kssl: /C=DE/O=Deutsches Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN 
Toplevel Certification Authority/emailAddress=certify at pca.dfn.de
konqueror: PURPOSE: 1 CA
konqueror: PURPOSE: 2 CA
konqueror: PURPOSE: 3 CA
konqueror: PURPOSE: 4 CA
konqueror: PURPOSE: 5 CA
konqueror: PURPOSE: 6
konqueror: PURPOSE: 6 CA
konqueror: PURPOSE: 7
konqueror: PURPOSE: 7 CA
konqueror: PURPOSE: 8
konqueror: PURPOSE: 8 CA
kssl: flags: 100111011
keyusage: 110
xkeyusage: 0
nscert: 111
kssl:      --- Key Usage extensions found
kssl:      --- Extended key usage extensions NOT found
kssl:      --- NS extensions found
kssl: NOTE: this is an SSL CA file.
kssl: NOTE: this is an EMAIL CA file.
kssl: NOTE: this is a CODE CA file.
kssl: NOTE: this is NOT an SSL client.
kssl: NOTE: this is NOT an SSL server.
kssl: NOTE: this is NOT a NETSCAPE SSL server.
kssl: NOTE: this is NOT an SMIME certificate.
kssl: NOTE: this is NOT an SMIME encrypt cert.
kssl: NOTE: this is NOT an SMIME sign cert.
kssl: NOTE: this is a CRL signer.
kssl: -----------------------------------------------


- -- 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
^ bastian at kde.org | Is your software SUSE LINUX READY? | bastian at suse.com
^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAcU6NN4pvrENfboIRAuJSAKCEAY5HosLFT/ewSLTV1Beu4G/hiwCeN3vB
mw7u7zryGYKgB9svADawdW4=
=Yzhr
-----END PGP SIGNATURE-----

More information about the kfm-devel mailing list