[Fedora-directory-users] NSS/SSL oddities
Rob Crittenden
rcritten at redhat.com
Fri Jan 6 15:47:05 UTC 2006
Mark McLoughlin wrote:
> Hi Rob,
>
> On Fri, 2006-01-06 at 09:21 -0500, Rob Crittenden wrote:
>
>>Mark McLoughlin wrote:
>>
>>>Hi,
>>> A couple of quick questions about things that have been bugging me:
>>>
>>> - If I import a server certificate and a CA certificate with pk12util
>>> and change the trust attributes on the CA cert to "C,," - i.e. that
>>> it should be a trusted CA for server certificates - and then start
>>> slapd I get:
>>>
>>>[05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication.
>>>
>>> Which seems strange to me - I would have thought the CA certs in
>>> nssckbi would be trusted for client auth?
>>
>>The C trust flag means that it is a trusted CA to issue server certs.
>>For client certs you need the T flag as well.
>
>
> Right.
>
>
>>nssckbi doesn't really come into play here. I believe that even if your
>>CA is signed by another CA that is in libnssckbi but you don't trust
>>your CA to sign client certs, then any client certificates issued by
>>your CA won't be trusted.
>
>
> Well, the point is that this CA won't be issuing an client
> certificates ... only a server certificate.
>
> What appears to be happening is that NSS requires at least one CA
> certificate to be available in order to send a certificate request
> during the handshake. However, my CA certificate isn't trusted for
> client auth and NSS isn't aware of any other CAs for client auth, so it
> barfs.
>
> I find this puzzling because looking through the NSS code, it looks
> like the CA certificates from nssckbi should be used for client auth -
> e.g. the error suggests that if I make my CA trusted for client auth, it
> will be the *only* CA used for client auth and that the root CAs will be
> ignored?
The question is: Do you want to do client certificate authentication? If
not then you should be able to disable client auth in the directory
server and this message should go away. I'm not a FDS developer so I
can't really say how one would do this configuration.
As for the trust issue, this goes a bit beyond my knowledge. This would
be a good question for the NSS guys in the
netscape.public.mozilla.crypto newsgroup (on nntp://news.mozilla.org).
rob
>
> Cheers,
> Mark.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060106/9608fa85/attachment.bin>
More information about the Fedora-directory-users
mailing list