CCT issues with netscape and mod_ssl Urgent - On our production system.

Hello,


I'm getting the following errors with netscape v 6.2.3 and 7 pre when
ssl connecting to my web server.



There is a problem with the cct that identifies
www.bawonwater.vic.gov.au do you want to continue?

The certificate was issued by a certificate authority that netscape
6.2.3 does not recognize.


Can anyone help? I need to resolve this quickly. I'm sure this was not
happening before I upgraded to 1.3.26 with x.x.10 mod_ssl when the
security alert came out. Perhaps I missed something when I performed a
make install over the top of the old version.

--
Christopher Welsh
Barwon Regional Water Authority,
Geelong Victoria, 3216
Voice: 03 52 262385, Mobile: 0409 562968



************************************************************ *********************************


The information in this e-mail message and any files transmitted with it
are confidential
and/or privileged and are intended only for the use of the individual or
entity to whom
they are addressed. If you received this message in error please notify us
immediately
by telephone or return e-mail and delete all copies from your computer
system, as your
retention, distribution or copying of this message and files is strictly
prohibited.

It is the recipient's responsibility to check this message and files for
viruses.

************************************************************ ***********************************


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: CCT issues with netscape and mod_ssl Urgent - On our productionsystem.

On Mon, 15 Jul 2002, Christopher Welsh wrote:

> The certificate was issued by a certificate authority that netscape
> 6.2.3 does not recognize.
>
> Can anyone help? I need to resolve this quickly. I'm sure this was not
> happening before I upgraded to 1.3.26 with x.x.10 mod_ssl when the
> security alert came out. Perhaps I missed something when I performed a
> make install over the top of the old version.

You seem to now be using an invalid (possibly self-signed?) server
certificate. Did you run "make certificate" by chance? You shouldn't
have.

--Cliff

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: CCT issues with netscape and mod_ssl Urgent - On our productionsystem.

Cliff,

Here is what I did. Any ideas what I can do to quickly fix it?


On 1.3.24 I ran make certificate TYPE=custom, and sent the csr off to
esign be signed, but not this time because I wanted to keep the keys
esigned keys.


Not so funny thing is that it is that ALL is well when I get there on
MSIE browsers. ????




cd apache_1.3.26
cd ../../mod_ssl
gunzip mod_ssl-2.8.10-1.3.26.tar.gz
tar -vxf mod_ssl-2.8.10-1.3.26.tar
cd mod_ssl-2.8.10-1.3.26
make clean
less INSTALL # Read the INSTALL file
cd ../../openssl/openssl-0.9.6b
make clean
# Used gcc. Gcc supports position independant code flag.
./Configure no-threads solaris-sparcv9-gcc -fPIC
make
make test
cd ../../mm/mm-1.1.3
./configure --disable-shared
make
cd ../../mod_ssl/mod_ssl-2.8.10-1.3.26
# --enable-rule=SHARED_CORE
./configure --with-apache=../../apache/apache_1.3.26
cd ../../apache/apache_1.3.26
env LIBS=/usr/lib/libC.so.5 CFLAGS=-fPIC
SSL_BASE=../../openssl/openssl-0.9.6b
./configure --enable-module=ssl --enable-module=so --enable-shared=ssl
--enable
-module=rewrite --prefix=/opt/apache --runtimedir=/var/opt/apache
--logfiledir=/
var/opt/apache
make
make install

# ls -l ssl.crt
total 548
lrwxrwxrwx 1 root root 19 Jul 1 17:16 0cf14d7d.0 ->
snakeoil-ca-dsa.crt
lrwxrwxrwx 1 root root 6 Jul 1 17:16 27c9619a.0 -> ca.crt
lrwxrwxrwx 1 root root 16 Jul 1 17:16 5d8360e1.0 ->
snakeoil-dsa.crt
lrwxrwxrwx 1 root root 16 Jul 1 17:16 82ab5372.0 ->
snakeoil-rsa.crt
-rw-r--r-- 1 root root 1522 Feb 27 16:53 Makefile
-rw-r--r-- 1 root root 1386 Feb 27 16:53 README.CRT
lrwxrwxrwx 1 root root 10 Jul 1 17:16 c5f0b2a4.0 ->
server.crt
-r-------- 1 root root 242153 Feb 27 16:53 ca-bundle.crt
-r-------- 1 root root 1318 Feb 27 16:54 ca.crt
lrwxrwxrwx 1 root root 19 Jul 1 17:16 e52d41d0.0 ->
snakeoil-ca-rsa.crt
-r-------- 1 root root 1874 Feb 28 12:05 server.crt
-r-------- 1 root root 1874 Feb 28 09:15 server.crt.esign
-r-------- 1 root root 1298 Feb 27 16:54 server.crt.orig
-r-------- 1 root root 1472 Feb 27 16:54 snakeoil-ca-dsa.crt
-r-------- 1 root root 1192 Feb 27 16:53 snakeoil-ca-rsa.crt
-r-------- 1 root root 1452 Feb 27 16:54 snakeoil-dsa.crt
-r-------- 1 root root 1176 Feb 27 16:54 snakeoil-rsa.crt




Cliff Woolley wrote:

>On Mon, 15 Jul 2002, Christopher Welsh wrote:
>
>
>
>>The certificate was issued by a certificate authority that netscape
>>6.2.3 does not recognize.
>>
>>Can anyone help? I need to resolve this quickly. I'm sure this was not
>>happening before I upgraded to 1.3.26 with x.x.10 mod_ssl when the
>>security alert came out. Perhaps I missed something when I performed a
>>make install over the top of the old version.
>>
>>
>
>You seem to now be using an invalid (possibly self-signed?) server
>certificate. Did you run "make certificate" by chance? You shouldn't
>have.
>
>--Cliff
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>

--
Christopher Welsh
Barwon Regional Water Authority,
Geelong Victoria, 3216
Voice: 03 52 262385, Mobile: 0409 562968



************************************************************ *********************************


The information in this e-mail message and any files transmitted with it
are confidential
and/or privileged and are intended only for the use of the individual or
entity to whom
they are addressed. If you received this message in error please notify us
immediately
by telephone or return e-mail and delete all copies from your computer
system, as your
retention, distribution or copying of this message and files is strictly
prohibited.

It is the recipient's responsibility to check this message and files for
viruses.

************************************************************ ***********************************



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: CCT issues with netscape and mod_ssl Urgent - On our production system.

It seems that the signing authority in the cert is not recognised by the browser... Look at the CA list in the browser to check (Tasks -> privacy and security -> security manager - certificates -> authorities). CA companies have to pay to be included by default in the browser's list and some don't bother to pay for minority browsers like Netscape...

Rgds,

Owen Boyle

>-----Original Message-----
>From: Christopher Welsh [mailto:cris@barwonwater.vic.gov.au]
>Sent: Montag, 15. Juli 2002 08:06
>To: modssl-users@modssl.org
>Subject: CCT issues with netscape and mod_ssl Urgent - On our
>production
>system.
>
>
>Hello,
>
>
>I'm getting the following errors with netscape v 6.2.3 and 7 pre when
>ssl connecting to my web server.
>
>
>
>There is a problem with the cct that identifies
>www.bawonwater.vic.gov.au do you want to continue?
>
>The certificate was issued by a certificate authority that netscape
>6.2.3 does not recognize.
>
>
>Can anyone help? I need to resolve this quickly. I'm sure this was not
>happening before I upgraded to 1.3.26 with x.x.10 mod_ssl when the
>security alert came out. Perhaps I missed something when I performed a
>make install over the top of the old version.
>
>--
>Christopher Welsh
>Barwon Regional Water Authority,
>Geelong Victoria, 3216
>Voice: 03 52 262385, Mobile: 0409 562968
>
>
>
>*********************************************************** ****
>******************************
>
>
>The information in this e-mail message and any files
>transmitted with it
>are confidential
>and/or privileged and are intended only for the use of the
>individual or
>entity to whom
>they are addressed. If you received this message in error
>please notify us
>immediately
>by telephone or return e-mail and delete all copies from your computer
>system, as your
>retention, distribution or copying of this message and files
>is strictly
>prohibited.
>
>It is the recipient's responsibility to check this message and
>files for
>viruses.
>
>*********************************************************** ****
>********************************
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org