Strange behaviour

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange behaviour

Walter H.
Hello,

there exists a self signed root CA certificate (A)
one intermediate CA certificate (B)
and this intermedia certificate has signed a SSL certificate (C) of a
web server;

the SSL certificate has in its 'Authority Information Access' extension
the URL to the
intermediate CA certificate, and the intermediate CA certificate has in
this extension the URL to the root CA certificate;
every certificate is stored in DER format;

in case the certificate database of the browser has only the root CA
certificate and I surf to this webserver
which itself sends the whole certificate chain; why does this work
without errors only in IE, and not in FireFox?

if the root CA certificate is a built-in token; then this works in
Firefox, too;

why this strange behaviour?

Thanks,
Walter
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Strange behaviour

Mat Arge
Just a wild guess: If you click on "edit trust" on the root certificate in
Firefox, you have to tick the box for web server certificates.

cheers
Mat

On Friday 04. October 2013 21:29:57 you wrote:

> Hello,
>
> there exists a self signed root CA certificate (A)
> one intermediate CA certificate (B)
> and this intermedia certificate has signed a SSL certificate (C) of a
> web server;
>
> the SSL certificate has in its 'Authority Information Access' extension
> the URL to the
> intermediate CA certificate, and the intermediate CA certificate has in
> this extension the URL to the root CA certificate;
> every certificate is stored in DER format;
>
> in case the certificate database of the browser has only the root CA
> certificate and I surf to this webserver
> which itself sends the whole certificate chain; why does this work
> without errors only in IE, and not in FireFox?
>
> if the root CA certificate is a built-in token; then this works in
> Firefox, too;
>
> why this strange behaviour?
>
> Thanks,
> Walter
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

signature.asc (679 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Strange behaviour

Walter H.
I thought similar, but it becomes more strange;

if the webserver uses a certificate that is signed from a CA with built
in token, then this needn't be;
and in case it is signed from my internediate certificate, this doesn't
help ...

Greetings,
Walter

On 07.10.2013 09:39, Mat Arge wrote:

> Just a wild guess: If you click on "edit trust" on the root certificate in
> Firefox, you have to tick the box for web server certificates.
>
> cheers
> Mat
>
> On Friday 04. October 2013 21:29:57 you wrote:
>> Hello,
>>
>> there exists a self signed root CA certificate (A)
>> one intermediate CA certificate (B)
>> and this intermedia certificate has signed a SSL certificate (C) of a
>> web server;
>>
>> the SSL certificate has in its 'Authority Information Access' extension
>> the URL to the
>> intermediate CA certificate, and the intermediate CA certificate has in
>> this extension the URL to the root CA certificate;
>> every certificate is stored in DER format;
>>
>> in case the certificate database of the browser has only the root CA
>> certificate and I surf to this webserver
>> which itself sends the whole certificate chain; why does this work
>> without errors only in IE, and not in FireFox?
>>
>> if the root CA certificate is a built-in token; then this works in
>> Firefox, too;
>>
>> why this strange behaviour?
>>
>> Thanks,
>> Walter

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]