Thawte freemail interface and .spc file
Michael Helm
the Thawte freemail cert generation pages on Microsoft
Vista ...
I'll skip the IE 7 problems.
The Mozilla firefox generation works, but Thawte isn't returning the
certificate
in a form that firefox understands apparently, it comes back as a .spc or
some kind
of PKCS#7 file, and never gets imported.
It can kind of look like a Windows function is stepping in and intercepting
the .spc file (it looks like a version of one of those Windows computer
management
consoles appears). It might even work to install the certificate, but of
course the private key is absent in the Windows crypto store. Perhaps,
firefox attempts to figure out what kind of file it is, doesn't know and
drops into Windows file management. The file management window
that firefox displays says Open with "Windows host proces (rundll32)".
I tried downloading the .spc file directly, and then tried to import it into
Firefox. No luck - it wants a "password" for this file (presumably there
is none - but that's not acceptable to the dialog box, and strings of 0-8
blank spaces don't make it work either).
There's definitely a nice cert in that .spc file - I can unpack it with
openssl.
firefox, tho, doesn't seem to want to import anything other than a pure
pkcs12 file, and openssl won't produce one of those without a private key.
Anyone have any better luck and useful advice? Thanks, ==mwh
Eddy Nigg (StartCom Ltd.)
> I will try that, but I predict it will fail if they use the same format.
>
> One of my colleagues has found a recent bug in bugzilla on this
> https://bugzilla.mozilla.org/show_bug.cgi?id=399188
> and it appears that firefox is ignoring the mime type and
> looking at the .spc extension, and then dropping into
> Windows file management. This is not what it does on, say, XP,
> where the same transaction works fine. I have not instrumented
> XP to see if the same pkcs#7 package & mime type header get sent
> by Thawte to this client (seems like a reasonable assumption, tho).
>
> My colleague was able to create a web page that would trick
> the firefox browser on Vista into downloading & installing
> the cert: he took the cert out, renamed the extension to some
> junk, and then had the page send the proper pkcs7 headers down
> along with the cert. Then firefox-on-vista loaded the cert
> properly.
If this is really the case on Vista than I rather suspect that the OS
intercepts the file based on the extension...can this be? I'm not a
Windows expert, much less Vista. So I expected the mime type to be
application/x-x509-user-cert and that FF doesn't bother at all about the
file extension. As a matter of fact the web page serving the
certificate, can be called really anything....except maybe on Vista?
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org <xmpp:star...@startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
Mike Helm
> Most likely they return a PKCS#7 (SPAC) file. The private key is
> supposed to be stored in FF and the response file should be installed
> without a problem. Perhaps you may want to try the free mail
> certificates from http://cert.startcom.org and check if it works for you
> with Firefox on Vista.
I will try that, but I predict it will fail if they use the same format.
One of my colleagues has found a recent bug in bugzilla on this
https://bugzilla.mozilla.org/show_bug.cgi?id=399188
and it appears that firefox is ignoring the mime type and
looking at the .spc extension, and then dropping into
Windows file management. This is not what it does on, say, XP,
where the same transaction works fine. I have not instrumented
XP to see if the same pkcs#7 package & mime type header get sent
by Thawte to this client (seems like a reasonable assumption, tho).
My colleague was able to create a web page that would trick
the firefox browser on Vista into downloading & installing
the cert: he took the cert out, renamed the extension to some
junk, and then had the page send the proper pkcs7 headers down
along with the cert. Then firefox-on-vista loaded the cert
properly.
So it looks like this is some kind of error in the decisions
firefox makes about extension handling.
Nelson B
> One of my colleagues has found a recent bug in bugzilla on this
> https://bugzilla.mozilla.org/show_bug.cgi?id=399188
> and it appears that firefox is ignoring the mime type and
> looking at the .spc extension, and then dropping into
> Windows file management.
I believe the present browser processing for files received via http
is something like this:
- if the MIME content type is known to the browser as a type it
handles internally, (either in native browser code, or through
extensions and add-ons/plugins) the browser handles the content
internally, otherwise ...
- If the MIME content type is known to be handled by another process
(e.g. MIME content type registered in Windows, or in the browser as a
"helper") then it is handled that way. There may be a dialog involved
at this point. Otherwise ...
- (on windows) the file name extension is looked up, and what ever
process is associated with that file name extension is run to handle it.
There may be a dialog involved at this step.
Note that there is a possibility that a file will be downloaded with
an unknown MIME content type, but when the file name extension is
looked up, the MIME content type associated with that extension will
be a type that is known to the browser. In this case, one might
expect that the browser would handle the file internally, but it does
not. This is a known bug, but I doubt that it's relevant to Thawte.
I suspect that Thawte is downloading the file with a content type that is
unknown to the browser, but is known to windows to be handled by
Windows' own cert manager. I've seen that before.
--
Nelson B