[Fedora-directory-users] NSS/SSL oddities
Mark McLoughlin
markmc at redhat.com
Fri Jan 6 16:17:06 UTC 2006
On Fri, 2006-01-06 at 10:47 -0500, Rob Crittenden wrote:
> Mark McLoughlin wrote:
> > What appears to be happening is that NSS requires at least one CA
> > certificate to be available in order to send a certificate request
> > during the handshake. However, my CA certificate isn't trusted for
> > client auth and NSS isn't aware of any other CAs for client auth, so it
> > barfs.
> >
> > I find this puzzling because looking through the NSS code, it looks
> > like the CA certificates from nssckbi should be used for client auth -
> > e.g. the error suggests that if I make my CA trusted for client auth, it
> > will be the *only* CA used for client auth and that the root CAs will be
> > ignored?
>
> The question is: Do you want to do client certificate authentication? If
> not then you should be able to disable client auth in the directory
> server and this message should go away. I'm not a FDS developer so I
> can't really say how one would do this configuration.
Yep, if you disable client auth, no attempt is made to send a
certificate request during the handshake and you don't get any error.
(To disable it you seem to have to set both "nsslapd-sslclientauth" on
"cn=config" and "nsSSLClientAuth" on "cn=encryption,cn=config")
> As for the trust issue, this goes a bit beyond my knowledge. This would
> be a good question for the NSS guys in the
> netscape.public.mozilla.crypto newsgroup (on nntp://news.mozilla.org).
Okay, thanks for your help.
Cheers,
Mark.
More information about the Fedora-directory-users
mailing list