sslv3 alert bad certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

sslv3 alert bad certificate

Felix Dorner
hi,

i am playing arount with certificates created and signed from
"/demos/selfsign.c". I replaced some of the code... so i post the output
of 'openssl x509 -in cert.pem -text' here:

Certificate:
    Data:
        Version: 4 (0x3)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=DE, CN=XYZ, University ABC
        Validity
            Not Before: Oct  7 16:32:48 2005 GMT
            Not After : Oct  7 16:32:48 2006 GMT
        Subject: C=DE, CN=XYZ, University ABC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:ce:e3:af:45:76:2e:54:61:40:f4:49:86:bd:0a:
                    aa:fc:0e:03:58:cc:c0:b6:51:f1:f7:8b:d8:39:d8:
                    7e:dd:ae:84:76:c7:d3:37:b5:ab:01:60:9e:ad:bd:
                    82:a5:90:6e:25:26:23:b1:81:07:96:f1:2e:4e:7e:
                    c2:45:0f:35:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                example comment extension
            Netscape SSL Server Name:
                www.openssl.org
    Signature Algorithm: md5WithRSAEncryption
        76:fb:3f:6a:21:fa:bb:39:08:6a:d1:24:2c:0f:a5:ae:27:e8:
        d4:b2:96:9c:b7:c0:d8:11:23:5b:3d:34:dc:f2:09:0f:8e:f5:
        3b:10:4f:d4:7c:ac:b4:e1:12:51:0b:fe:48:06:27:d0:99:f5:
        e4:52:82:89:8f:19:90:09:f8:8a

I use this certificate for a http server. the test client (firefox) pops
up the well known "unknown certificate" message. i can then accept the
certificate and start browsing.

there seem to be some formal issues with the certificate however:

1. when i "examine" the certificate from firefoxes popup window the
topmost message sais
    "could not verify the certificate for unknown reasons", and
folding/unfolding the certificate
    entries is not possible: it looks as if the certificate is "empty"
2. on the server side i receive a sslv3 alert bad certificate


what are now the differences between a "properly working" self signed
certificate
and the one that i use?

thanks for any help.

felix dorner

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sslv3 alert bad certificate

Joseph Oreste Bruni-2
It might be because neither the commonName nor the subjectAltName  
make any reference to the name of your web server. (Just a guess.)


On Oct 7, 2005, at 9:49 AM, Felix Dorner wrote:

> hi,
>
> i am playing arount with certificates created and signed from
> "/demos/selfsign.c". I replaced some of the code... so i post the  
> output
> of 'openssl x509 -in cert.pem -text' here:
>
> Certificate:
>     Data:
>         Version: 4 (0x3)
>         Serial Number: 0 (0x0)
>         Signature Algorithm: md5WithRSAEncryption
>         Issuer: C=DE, CN=XYZ, University ABC
>         Validity
>             Not Before: Oct  7 16:32:48 2005 GMT
>             Not After : Oct  7 16:32:48 2006 GMT
>         Subject: C=DE, CN=XYZ, University ABC
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (512 bit)
>                 Modulus (512 bit):
>                     00:ce:e3:af:45:76:2e:54:61:40:f4:49:86:bd:0a:
>                     aa:fc:0e:03:58:cc:c0:b6:51:f1:f7:8b:d8:39:d8:
>                     7e:dd:ae:84:76:c7:d3:37:b5:ab:01:60:9e:ad:bd:
>                     82:a5:90:6e:25:26:23:b1:81:07:96:f1:2e:4e:7e:
>                     c2:45:0f:35:4f
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             Netscape Cert Type:
>                 SSL Server
>             Netscape Comment:
>                 example comment extension
>             Netscape SSL Server Name:
>                 www.openssl.org
>     Signature Algorithm: md5WithRSAEncryption
>         76:fb:3f:6a:21:fa:bb:39:08:6a:d1:24:2c:0f:a5:ae:27:e8:
>         d4:b2:96:9c:b7:c0:d8:11:23:5b:3d:34:dc:f2:09:0f:8e:f5:
>         3b:10:4f:d4:7c:ac:b4:e1:12:51:0b:fe:48:06:27:d0:99:f5:
>         e4:52:82:89:8f:19:90:09:f8:8a
>
> I use this certificate for a http server. the test client (firefox)  
> pops
> up the well known "unknown certificate" message. i can then accept the
> certificate and start browsing.
>
> there seem to be some formal issues with the certificate however:
>
> 1. when i "examine" the certificate from firefoxes popup window the
> topmost message sais
>     "could not verify the certificate for unknown reasons", and
> folding/unfolding the certificate
>     entries is not possible: it looks as if the certificate is "empty"
> 2. on the server side i receive a sslv3 alert bad certificate
>
>
> what are now the differences between a "properly working" self signed
> certificate
> and the one that i use?
>
> thanks for any help.
>
> felix dorner
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: sslv3 alert bad certificate

Felix Dorner
In reply to this post by Felix Dorner
hi,

as far as browsing the certificate ('folding' and 'unfolding'
certificate entries) in the mozilla popup
it seems like this:

>        Version: 4 (0x3)
>  
>
is invalid. as far as i have read there is no version 4 for X509
certificates.

selfsign.c:
X509_set_version(x,3);  sets the Certificate Version to 4 ... quite a
nasty trap.

replacing the '3' with a '2' makes it Version 3 and the entries get
'browsable'.

However still there is the message about a failed verification for
'unknown reasons'.
What means 'certificate verification' anyway?

I changed the CN to the correct value as proposed by Joseph, but
still get a sslv3 alert bad certificate warning.

felix


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]