[Fedora-directory-users] NSS/SSL oddities

Rob Crittenden rcritten at redhat.com
Fri Jan 6 15:47:05 UTC 2006 

Mark McLoughlin wrote:
> Hi Rob,
> 
> On Fri, 2006-01-06 at 09:21 -0500, Rob Crittenden wrote:
> 
>>Mark McLoughlin wrote:
>>
>>>Hi,
>>>	A couple of quick questions about things that have been bugging me:
>>>
>>>  - If I import a server certificate and a CA certificate with pk12util 
>>>    and change the trust attributes on the CA cert to "C,," - i.e. that 
>>>    it should be a trusted CA for server certificates - and then start 
>>>    slapd I get:
>>>
>>>[05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication.
>>>
>>>    Which seems strange to me - I would have thought the CA certs in 
>>>    nssckbi would be trusted for client auth?
>>
>>The C trust flag means that it is a trusted CA to issue server certs. 
>>For client certs you need the T flag as well.
> 
> 
> 	Right.
> 
> 
>>nssckbi doesn't really come into play here. I believe that even if your 
>>CA is signed by another CA that is in libnssckbi but you don't trust 
>>your CA to sign client certs, then any client certificates issued by 
>>your CA won't be trusted.
> 
> 
> 	Well, the point is that this CA won't be issuing an client
> certificates ... only a server certificate.
> 
> 	What appears to be happening is that NSS requires at least one CA
> certificate to be available in order to send a certificate request
> during the handshake. However, my CA certificate isn't trusted for
> client auth and NSS isn't aware of any other CAs for client auth, so it
> barfs.
> 
> 	I find this puzzling because looking through the NSS code, it looks
> like the CA certificates from nssckbi should be used for client auth -
> e.g. the error suggests that if I make my CA trusted for client auth, it
> will be the *only* CA used for client auth and that the root CAs will be
> ignored?

The question is: Do you want to do client certificate authentication? If 
not then you should be able to disable client auth in the directory 
server and this message should go away. I'm not a FDS developer so I 
can't really say how one would do this configuration.

As for the trust issue, this goes a bit beyond my knowledge. This would 
be a good question for the NSS guys in the 
netscape.public.mozilla.crypto newsgroup (on nntp://news.mozilla.org).

rob

> 
> Cheers,
> Mark.
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060106/9608fa85/attachment.bin>

More information about the Fedora-directory-users mailing list