Closed
Bug 91413
Opened 23 years ago
Closed 23 years ago
PSM cannot access CMS's agent page if it is a subordinate CA
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
VERIFIED
INVALID
psm2.1
People
(Reporter: thomask, Assigned: javi)
Details
I have setup a CMS4.2SP2, and have installed NS6.1PR1. I have a root CA, and a subordinate CA. When NS6.1PR1 is used to access the subordinate CA agent's page, it fails. (Note that if I use PSM1.4 (an older version), this works and I can access the agent page without problem) I used SSLtap to debug, and got the following: C:\netscape\Server4\bin\cert\tools>ssltap -sl localhost:9101 Looking up "localhost"... Proxy socket ready and listening Connection #1 [Wed Jul 18 17:58:17 2001] Connected to localhost:9101 --> [ alloclen = 72 bytes (72 bytes of 72) [Wed Jul 18 17:58:17 2001] [ssl2] ClientHelloV2 { version = {0x03, 0x00} cipher-specs-length = 45 (0x2d) sid-length = 0 (0x00) challenge-length = 16 (0x10) cipher-suites = { (0x010080) SSL2/RSA/RC4-128/MD5 (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x000004) SSL3/RSA/RC4-128/MD5 (0x00feff) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x00fefe) SSL3/RSA-FIPS/DES56-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA (0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA (0x000003) SSL3/RSA/RC4-40/MD5 (0x000006) SSL3/RSA/RC2CBC40/MD5 } session-id = { } challenge = { 0xd89a 0x82f4 0x5988 0x9dad 0x8b1c 0xb546 0xc137 0x0d44 } } ] <-- [ (1557 bytes of 1552) SSLRecord { [Wed Jul 18 17:58:17 2001] type = 22 (handshake) version = { 3,0 } length = 1552 (0x610) handshake { type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 0} random = {...} session ID = { length = 32 contents = {..} } cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 } type = 11 (certificate) length = 1470 (0x0005be) CertificateChain { chainlength = 1467 (0x05bb) Certificate { size = 450 (0x01c2) data = { saved in file 'cert.001' } } Certificate { size = 503 (0x01f7) data = { saved in file 'cert.002' } } Certificate { size = 505 (0x01f9) data = { saved in file 'cert.003' } } } type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (7 bytes of 2) SSLRecord { [Wed Jul 18 17:58:17 2001] type = 21 (alert) version = { 3,0 } length = 2 (0x2) fatal: bad certificate } ] The output of the server certificates are: 0 30 446: SEQUENCE { 4 30 360: SEQUENCE { 8 A0 3: [0] { 10 02 1: INTEGER 2 : } 13 02 1: INTEGER 2 16 30 13: SEQUENCE { 18 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 29 05 0: NULL : } 31 30 68: SEQUENCE { 33 31 11: SET { 35 30 9: SEQUENCE { 37 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 42 13 2: PrintableString 'US' : } : } 46 31 17: SET { 48 30 15: SEQUENCE { 50 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 55 13 8: PrintableString 'netscape' : } : } 65 31 34: SET { 67 30 32: SEQUENCE { 69 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 74 13 25: PrintableString 'Certificate Manager (Sub)' : } : } : } 101 30 30: SEQUENCE { 103 17 13: UTCTime '010717070000Z' 118 17 13: UTCTime '030717070000Z' : } 133 30 67: SEQUENCE { 135 31 11: SET { 137 30 9: SEQUENCE { 139 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 144 13 2: PrintableString 'US' : } : } 148 31 17: SET { 150 30 15: SEQUENCE { 152 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 157 13 8: PrintableString 'netscape' : } : } 167 31 33: SET { 169 30 31: SEQUENCE { 171 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 176 13 24: PrintableString 'pc614451.red.iplanet.com' : } : } : } 202 30 92: SEQUENCE { 204 30 13: SEQUENCE { 206 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 217 05 0: NULL : } 219 03 75: BIT STRING 0 unused bits : 30 48 02 41 00 C3 29 FC DB 45 42 00 91 20 B8 78 : 96 AE 00 51 3E 2A DF DA D3 7D 3E 32 79 89 63 66 : 12 60 15 08 C6 52 AF 12 3D 97 84 11 C7 0F 99 36 : 52 D6 3C E0 4D D7 3E 52 23 9F 79 EE 2C 50 04 74 : 80 EE C3 3F 7F 02 03 01 00 01 : } 296 A3 70: [3] { 298 30 68: SEQUENCE { 300 30 17: SEQUENCE { 302 06 9: OBJECT IDENTIFIER : netscape-cert-type (2 16 840 1 113730 1 1) 313 04 4: OCTET STRING : 03 02 06 C0 : } 319 30 31: SEQUENCE { 321 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 326 04 24: OCTET STRING : 30 16 80 14 AB 64 08 F4 23 F4 D3 56 12 18 1D B0 : 1C E9 1E C7 D1 9E E4 54 : } 352 30 14: SEQUENCE { 354 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 359 01 1: BOOLEAN TRUE 362 04 4: OCTET STRING : 03 02 05 A0 : } : } : } : } 368 30 13: SEQUENCE { 370 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 381 05 0: NULL : } 383 03 65: BIT STRING 0 unused bits : 76 EF D4 FB 7A 25 9A D5 CE 6F AB AC 72 9E 5E 31 : B7 A3 68 5D 45 B3 FD 4D 13 83 C3 32 15 6A 41 91 : 87 36 13 37 DF 21 08 29 69 AA F4 4B 66 14 2C 9F : 53 3A 8B 08 42 ED 51 40 91 18 47 5A 4D 12 48 70 : } 0 warnings, 0 errors. 0 30 499: SEQUENCE { 4 30 413: SEQUENCE { 8 A0 3: [0] { 10 02 1: INTEGER 2 : } 13 02 2: INTEGER 13824 17 30 13: SEQUENCE { 19 06 9: OBJECT IDENTIFIER : md5withRSAEncryption (1 2 840 113549 1 1 4) 30 05 0: NULL : } 32 30 71: SEQUENCE { 34 31 11: SET { 36 30 9: SEQUENCE { 38 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 43 13 2: PrintableString 'US' : } : } 47 31 20: SET { 49 30 18: SEQUENCE { 51 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 56 13 11: PrintableString 'dfdfdfdfdfd' : } : } 69 31 34: SET { 71 30 32: SEQUENCE { 73 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 78 13 25: PrintableString 'Certificate Manager (xxx)' : } : } : } 105 30 30: SEQUENCE { 107 17 13: UTCTime '010718005722Z' 122 17 13: UTCTime '020718005722Z' : } 137 30 68: SEQUENCE { 139 31 11: SET { 141 30 9: SEQUENCE { 143 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 148 13 2: PrintableString 'US' : } : } 152 31 17: SET { 154 30 15: SEQUENCE { 156 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 161 13 8: PrintableString 'netscape' : } : } 171 31 34: SET { 173 30 32: SEQUENCE { 175 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 180 13 25: PrintableString 'Certificate Manager (Sub)' : } : } : } 207 30 92: SEQUENCE { 209 30 13: SEQUENCE { 211 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 222 05 0: NULL : } 224 03 75: BIT STRING 0 unused bits : 30 48 02 41 00 BF 9B A7 0F 63 9B B1 19 69 55 2F : 3E 8E 4B 63 F9 44 53 02 BB BD BC F5 F2 34 6B 00 : 2B E4 D7 5F 14 42 4F 3E B5 C1 6A 8E D6 32 3D ED : 12 29 63 30 FE 35 74 0D 71 F0 69 10 EC E8 E8 A1 : 2A 4F F7 6A A3 02 03 01 00 01 : } 301 A3 118: [3] { 303 30 116: SEQUENCE { 305 30 14: SEQUENCE { 307 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 312 01 1: BOOLEAN TRUE 315 04 4: OCTET STRING : 03 02 01 86 : } 321 30 17: SEQUENCE { 323 06 9: OBJECT IDENTIFIER : netscape-cert-type (2 16 840 1 113730 1 1) 334 04 4: OCTET STRING : 03 02 00 87 : } 340 30 29: SEQUENCE { 342 06 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 347 04 22: OCTET STRING : 04 14 AB 64 08 F4 23 F4 D3 56 12 18 1D B0 1C E9 : 1E C7 D1 9E E4 54 : } 371 30 31: SEQUENCE { 373 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 378 04 24: OCTET STRING : 30 16 80 14 E0 72 9A 04 73 96 64 85 55 78 30 3E : DB C6 4C 05 34 23 EC 30 : } 404 30 15: SEQUENCE { 406 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 411 01 1: BOOLEAN TRUE 414 04 5: OCTET STRING : 30 03 01 01 FF : } : } : } : } 421 30 13: SEQUENCE { 423 06 9: OBJECT IDENTIFIER md5withRSAEncryption (1 2 840 113549 1 1 4) 434 05 0: NULL : } 436 03 65: BIT STRING 0 unused bits : 6D F2 C3 96 BE 2C 8D 7B 45 25 70 34 2D D3 EF BF : 9E 28 54 98 AC 20 24 AF 45 9B 8C 5A E9 B4 39 A2 : B3 DC C9 F6 4A 10 0F 36 DF AA E4 38 67 39 02 4A : 4A 54 7A 92 B1 92 B9 BB C6 A5 23 80 AA 47 C3 FF : } 0 warnings, 0 errors. 0 30 501: SEQUENCE { 4 30 415: SEQUENCE { 8 A0 3: [0] { 10 02 1: INTEGER 2 : } 13 02 1: INTEGER 1 16 30 13: SEQUENCE { 18 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 29 05 0: NULL : } 31 30 71: SEQUENCE { 33 31 11: SET { 35 30 9: SEQUENCE { 37 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 42 13 2: PrintableString 'US' : } : } 46 31 20: SET { 48 30 18: SEQUENCE { 50 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 55 13 11: PrintableString 'dfdfdfdfdfd' : } : } 68 31 34: SET { 70 30 32: SEQUENCE { 72 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 77 13 25: PrintableString 'Certificate Manager (xxx)' : } : } : } 104 30 30: SEQUENCE { 106 17 13: UTCTime '010712070000Z' 121 17 13: UTCTime '030712070000Z' : } 136 30 71: SEQUENCE { 138 31 11: SET { 140 30 9: SEQUENCE { 142 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 147 13 2: PrintableString 'US' : } : } 151 31 20: SET { 153 30 18: SEQUENCE { 155 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 160 13 11: PrintableString 'dfdfdfdfdfd' : } : } 173 31 34: SET { 175 30 32: SEQUENCE { 177 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 182 13 25: PrintableString 'Certificate Manager (xxx)' : } : } : } 209 30 92: SEQUENCE { 211 30 13: SEQUENCE { 213 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 224 05 0: NULL : } 226 03 75: BIT STRING 0 unused bits : 30 48 02 41 00 C6 E3 DC 6E 2D E7 51 63 77 59 69 : 15 EB 21 BA 1E 2F 4A C2 4A 90 F7 B4 B9 8A 57 25 : C0 7E FB 56 62 CD F0 68 B6 97 FB 61 42 3C 15 8B : 11 09 D7 D2 D1 CA 32 55 B2 80 CD 9C 9E 5B 45 52 : EE 2D AD F9 5D 02 03 01 00 01 : } 303 A3 118: [3] { 305 30 116: SEQUENCE { 307 30 17: SEQUENCE { 309 06 9: OBJECT IDENTIFIER : netscape-cert-type (2 16 840 1 113730 1 1) 320 04 4: OCTET STRING : 03 02 00 07 : } 326 30 15: SEQUENCE { 328 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 333 01 1: BOOLEAN TRUE 336 04 5: OCTET STRING : 30 03 01 01 FF : } 343 30 29: SEQUENCE { 345 06 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 350 04 22: OCTET STRING : 04 14 E0 72 9A 04 73 96 64 85 55 78 30 3E DB C6 : 4C 05 34 23 EC 30 : } 374 30 31: SEQUENCE { 376 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 381 04 24: OCTET STRING : 30 16 80 14 E0 72 9A 04 73 96 64 85 55 78 30 3E : DB C6 4C 05 34 23 EC 30 : } 407 30 14: SEQUENCE { 409 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 414 01 1: BOOLEAN TRUE 417 04 4: OCTET STRING : 03 02 01 86 : } : } : } : } 423 30 13: SEQUENCE { 425 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 436 05 0: NULL : } 438 03 65: BIT STRING 0 unused bits : 0B 6E 96 6E C2 27 1C D4 D6 C8 DE 0C 7B DF 0D A4 : 9D 23 74 35 86 85 FB 64 75 8C D3 77 DB 7B 87 B8 : 2C 95 1A C4 57 01 BF A2 DD CE C5 6A F7 A0 03 22 : 63 E9 1E 74 45 C7 4E 31 29 9C B8 BD F5 E4 86 BD : } 0 warnings, 0 errors.
Updated•23 years ago
|
Assignee: ssaux → javi
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → 2.1
Comment 1•23 years ago
|
||
Thomas, can we get the cms server url to replicate and debug? Thanks, P1 t->2.1 ->javi Javi setting to P1 so that you look at it right away. Reprioritize after doing so, if warranted.
Comment 3•23 years ago
|
||
This seems to work for me. Reporter, can you use the latest branch build to try this?
Hmm, just setup another sub ca, this times it works. https://192.18.121.247:8101 This could be a database corruption thingy. I will reopen this bug if I see it again. For now, close as invalid.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
Also, I am using the latest build (07-20) now. Maybe this helps.
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•