Bug 62601
Summary: | Browser errors when generating mod_ssl test certs | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | David Lawrence <dkl> |
Component: | kdelibs | Assignee: | Bernhard Rosenkraenzer <bero> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2002-04-08 19:10:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 61901 |
Description
David Lawrence
2002-04-02 22:50:52 UTC
I'm unable to reproduce this with Netscape Communicator. Try to reproduce this error dialog with Konqueror, then from the initial error dialog, select "Details...", "Cryptography Configuration...", select the "Peer SSL Certificates" tab, select the certificate for your test web site, and click on the "Verify" button. If it fails, press the "Details..." button for this dialog and see if the resulting error message is the same. Okay, I did what you suggested. First of all when Konqueror throws the error and I click in Details, one thing it does complain is that the certificate if expired. Here are the dates that it reports for a cert that I just created 5 minutes before trying to us it. Certificate State: Certificate has expired Valid From: Friday 05 April 2002 04:08:04 GMT Valid Until: Saturday 05 April 2003 04:08:04 GMT That is odd. Then I have to force acceptance of the certificate once and then return to the Cryptography Configuration screen for the test cert to show up in the list. After hightlighting my test cert and clicking Verify, I get: This certificate has failed the tests and should be considered invalid. Clicking on details renders: Certificate is self signed and thus may not be trustworthy. This is different than the expired problem. Because the timestamps are in GMT, the certificate is actually valid time-wise. Because Netscape Communicator doesn't indicate that the certificate is expired, but does prompt due to the signer being unknown, I suspect we're seeing a bug in kdelibs's SSL-related code which causes an incorrect message to be displayed in the first dialog, or the verification routine is not handling time zone differences properly. Confirmed: when validating certificates, kssl doesn't handle notBefore and notAfter times properly unless the local time zone is GMT. (The notBefore and notAfter fields are GMT dates, and kssl uses the local time in its checks.) This doesnt really explain the Netscape 4.78 issue though. Dave, I couldn't reproduce this with the version of Netscape I had installed (4.79-1). I have just repeated the test with 4.78-2 and 4.78-1 and am still unable to reproduce the failure. This was fixed in kdelibs-3.0.0-7. I feel this is now related to a time difference issue between the server/client. I have tried this with a different machine and have had success. I still get the Certificate has expired in Konqueror when clicking on the LOCK icon to view SSL details. The first screen you see shows 4:08 GMT but if you go to the Cryptography Configuration->Peel SSL Certificates screen and view the expiration date there it says 11:32 GMT instead of 4:08. Highlighting the test certificate and then clicking Verify only complains of the certificate being self-signed and not expired. Very strange. I wonder if Bero was saying this anomoly is what has been fixed in the latest kdelibs. In Netscape with the different server I am able to successfully accept the certificate with the obvious warning of it being self-signed also. |