Description of Problem: Browser generates error when accessing SSL enabled web site that had keys generated manually with openssl commands. Version-Release number of selected component (if applicable): mod_ssl-2.8.7-2 Steps to Reproduce: 1. Generate key: /usr/bin/openssl genrsa -out ssl.key/server.key 1024 2. Generate cert request using supplied Makefile: make certreq 3. Bypass CA Authority generate certificate yourself /usr/bin/openssl x509 -days 365 -signkey ssl.key/server.key -in ssl.csr/server.csr -req -out ssl.crt/server.crt 4. Restart web server Actual Results: Netscape 4.79 Browser Error: SSL has recieved an error from the server indicating an incorrect Message Authentification Code. This could indicate a network error, a bad server implementation, or a security violation. Konquerer Generates error but complains that the certificate has expired. It allows you to override and still access the site. Expected Results: Popup window asking if it is OK to accept the new certificate. Additional Information: The following errors are popping up in /var/log/httpd/ssl_engine_log [02/Apr/2002 17:17:44 00726] [error] SSL handshake failed (server dhcp59-205.rdu.redhat.com:443, client 172.16.56.98) (OpenSSL library error follows) [02/Apr/2002 17:17:44 00726] [error] OpenSSL: error:140760FC:lib(20):func(118):reason(252) The following is the server.crt contents. Certificate: Data: Version: 1 (0x0) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=QA, CN=dhcp59-205.rdu.redhat.com/Email=dkl Validity Not Before: Apr 2 22:35:53 2002 GMT Not After : Apr 2 22:35:53 2003 GMT Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=QA, CN=dhcp59-205.rdu.redhat.com/Email=dkl Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d0:6d:ab:03:20:4f:0e:a1:43:19:90:45:bc:63: 40:a7:6f:29:71:f5:ed:0c:62:88:f4:e2:f0:b1:5f: 4e:e0:54:3b:5c:e5:5c:9d:c8:40:00:ef:ad:0f:a5: cf:ff:22:4e:8c:a3:5f:41:96:91:ad:ec:22:a2:bb: 71:dc:7c:d5:e2:57:e6:ec:69:f2:89:bd:2f:4b:6c: 66:10:23:e6:d4:0e:f4:d5:55:06:de:d9:34:a9:ea: 29:d1:bb:c5:79:6f:e5:a5:d3:fa:d5:8b:b3:91:65: d8:cd:e7:e5:36:e9:eb:ab:48:47:b1:f8:f1:f1:ae: be:7a:fa:02:56:7a:cd:8b:21 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 5d:ad:b7:53:43:4f:23:0d:72:8e:2d:8e:6c:74:3e:34:6c:6b: f1:6d:6e:85:d0:63:6e:2f:60:32:2f:93:a6:cf:b0:50:45:dc: 98:e4:8f:3a:e9:57:71:93:e1:da:12:a6:2d:88:be:76:71:bd: 33:e5:e8:8e:7b:62:f4:a2:cb:af:80:8a:a0:30:e5:3b:d9:e8: f0:49:84:38:ab:c9:29:58:ae:35:8a:77:88:4c:ec:06:31:6f: 26:ea:17:0f:fa:8f:74:ba:68:07:43:17:d6:65:c9:6e:a6:27: 35:4f:57:37:ea:76:2b:f2:90:2c:99:bc:96:be:f8:21:92:ca: d3:ac
I'm unable to reproduce this with Netscape Communicator. Try to reproduce this error dialog with Konqueror, then from the initial error dialog, select "Details...", "Cryptography Configuration...", select the "Peer SSL Certificates" tab, select the certificate for your test web site, and click on the "Verify" button. If it fails, press the "Details..." button for this dialog and see if the resulting error message is the same.
Okay, I did what you suggested. First of all when Konqueror throws the error and I click in Details, one thing it does complain is that the certificate if expired. Here are the dates that it reports for a cert that I just created 5 minutes before trying to us it. Certificate State: Certificate has expired Valid From: Friday 05 April 2002 04:08:04 GMT Valid Until: Saturday 05 April 2003 04:08:04 GMT That is odd. Then I have to force acceptance of the certificate once and then return to the Cryptography Configuration screen for the test cert to show up in the list. After hightlighting my test cert and clicking Verify, I get: This certificate has failed the tests and should be considered invalid. Clicking on details renders: Certificate is self signed and thus may not be trustworthy. This is different than the expired problem.
Because the timestamps are in GMT, the certificate is actually valid time-wise. Because Netscape Communicator doesn't indicate that the certificate is expired, but does prompt due to the signer being unknown, I suspect we're seeing a bug in kdelibs's SSL-related code which causes an incorrect message to be displayed in the first dialog, or the verification routine is not handling time zone differences properly.
Confirmed: when validating certificates, kssl doesn't handle notBefore and notAfter times properly unless the local time zone is GMT. (The notBefore and notAfter fields are GMT dates, and kssl uses the local time in its checks.)
This doesnt really explain the Netscape 4.78 issue though.
Dave, I couldn't reproduce this with the version of Netscape I had installed (4.79-1). I have just repeated the test with 4.78-2 and 4.78-1 and am still unable to reproduce the failure.
This was fixed in kdelibs-3.0.0-7.
I feel this is now related to a time difference issue between the server/client. I have tried this with a different machine and have had success. I still get the Certificate has expired in Konqueror when clicking on the LOCK icon to view SSL details. The first screen you see shows 4:08 GMT but if you go to the Cryptography Configuration->Peel SSL Certificates screen and view the expiration date there it says 11:32 GMT instead of 4:08. Highlighting the test certificate and then clicking Verify only complains of the certificate being self-signed and not expired. Very strange. I wonder if Bero was saying this anomoly is what has been fixed in the latest kdelibs. In Netscape with the different server I am able to successfully accept the certificate with the obvious warning of it being self-signed also.