Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How do I get PSM 1.4 to allow unknown sites or authorities like NS 4.x??

3 views
Skip to first unread message

Richard Cardona

unread,
Nov 16, 2000, 3:00:00 AM11/16/00
to
Hi,

The subject pretty much says it all. Internally we use a lot of
self-signed certificates created by OpenSSL or IBM iKeyman and Netscape
6.0 final release (Win32) doesn't prompt for the "trusting" of these
sites. When I visited one of our internal sites, Netscape 6.0 grinds a
bit and does nothing (the page doesn't change or go blank) - no error
message.


I definitely don't want to go through the process of exporting binary
DER or base64 text .crt files of the self-signed public keys for each
site I want to visit!!

I'm going to investigate if there's a way to reuse the key.db and
cert.db files from NS 4.x to at least trust the sites I've already
visited once and approved.

The SSL situation in Netscape 6.0 is a mess! :(

Richard

Steve Parkinson

unread,
Nov 16, 2000, 3:00:00 AM11/16/00
to Richard Cardona
The key3.db and cert7.db database files used by communicator 4 and
netscape 6 are identical. THe security component in N6 is called
Personal Security Manager.

We do *a lot* of testing internally with PSM with unknown issuers, so
maybe there is something special about these certificates.

I would suggest posting this message, and an example of one of the
problem CA certificates to the newsgroup which the PSM guys monitor:

news://news.mozilla.org/netscape.public.mozilla.crypto

Steve

Richard Cardona

unread,
Nov 16, 2000, 3:00:00 AM11/16/00
to
Steve Parkinson wrote:
>
> The key3.db and cert7.db database files used by communicator 4 and
> netscape 6 are identical. THe security component in N6 is called
> Personal Security Manager.

Thanks for your prompt response Steve. I know what PSM stands for, btw
;)

I've tracked the problem down. It's not related to self-signed
certificates after all. I was tricked because my self-signed certs were
in the PSM database but I expected to be prompted for a "New Site
Certificate" and I wasn't.


The problem is there is a TLS incompatibility between the GSKITv4 server
side SSL libraries in the IBM HTTP (Apache) Server 1.3.12.1 and the
cryptographic module in PSM 1.4 when TLS 1.0 is enabled. Since TLS 1.0
is enabled by default this renders secure connections inoperable to the
IBM HTTP Server.

IBM GSKITv4 also has TLS 1.0 support, so this is potentially a problem
in the TLS handshake. Of course, Netscape 6.0 doesn't mention a thing
when the connection fails. The security lock in the lower right blinks
yellow twice then goes red. If you click on it, there is an EMPTY
window with no error message.

If I disable TLS 1.0 in PSM 1.4, then I can connect to the IBM HTTP
Server, presumably with SSLv3. Since NS 4.7x doesn't have TLS this
might be a new problem with Netscape 6.0.

The IBM HTTP Server w/GSKITv4 is free for download if anyone is
interested in debugging this at the network layer on your end. =) I've
also notified the IBM SKIT team which provides SSL/TLS support for the
IBM HTTP Server.

Richard Cardona
Tivoli Systems, a division of IBM

0 new messages