Closed
Bug 91413
Opened 23 years ago
Closed 23 years ago
PSM cannot access CMS's agent page if it is a subordinate CA
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
VERIFIED
INVALID
psm2.1
People
(Reporter: thomask, Assigned: javi)
Details
I have setup a CMS4.2SP2, and have installed NS6.1PR1.
I have a root CA, and a subordinate CA. When NS6.1PR1 is used to access
the subordinate CA agent's page, it fails.
(Note that if I use PSM1.4 (an older version), this works and I can access
the agent page without problem)
I used SSLtap to debug, and got the following:
C:\netscape\Server4\bin\cert\tools>ssltap -sl localhost:9101
Looking up "localhost"...
Proxy socket ready and listening
Connection #1 [Wed Jul 18 17:58:17 2001]
Connected to localhost:9101
--> [
alloclen = 72 bytes
(72 bytes of 72)
[Wed Jul 18 17:58:17 2001] [ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 45 (0x2d)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00feff) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00fefe) SSL3/RSA-FIPS/DES56-CBC/SHA
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0xd89a 0x82f4 0x5988 0x9dad 0x8b1c 0xb546 0xc137 0x0d44
}
}
]
<-- [
(1557 bytes of 1552)
SSLRecord { [Wed Jul 18 17:58:17 2001]
type = 22 (handshake)
version = { 3,0 }
length = 1552 (0x610)
handshake {
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 0}
random = {...}
session ID = {
length = 32
contents = {..}
}
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
}
type = 11 (certificate)
length = 1470 (0x0005be)
CertificateChain {
chainlength = 1467 (0x05bb)
Certificate {
size = 450 (0x01c2)
data = { saved in file 'cert.001' }
}
Certificate {
size = 503 (0x01f7)
data = { saved in file 'cert.002' }
}
Certificate {
size = 505 (0x01f9)
data = { saved in file 'cert.003' }
}
}
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(7 bytes of 2)
SSLRecord { [Wed Jul 18 17:58:17 2001]
type = 21 (alert)
version = { 3,0 }
length = 2 (0x2)
fatal: bad certificate
}
]
The output of the server certificates are:
0 30 446: SEQUENCE {
4 30 360: SEQUENCE {
8 A0 3: [0] {
10 02 1: INTEGER 2
: }
13 02 1: INTEGER 2
16 30 13: SEQUENCE {
18 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
29 05 0: NULL
: }
31 30 68: SEQUENCE {
33 31 11: SET {
35 30 9: SEQUENCE {
37 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
42 13 2: PrintableString 'US'
: }
: }
46 31 17: SET {
48 30 15: SEQUENCE {
50 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
55 13 8: PrintableString 'netscape'
: }
: }
65 31 34: SET {
67 30 32: SEQUENCE {
69 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
74 13 25: PrintableString 'Certificate Manager (Sub)'
: }
: }
: }
101 30 30: SEQUENCE {
103 17 13: UTCTime '010717070000Z'
118 17 13: UTCTime '030717070000Z'
: }
133 30 67: SEQUENCE {
135 31 11: SET {
137 30 9: SEQUENCE {
139 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
144 13 2: PrintableString 'US'
: }
: }
148 31 17: SET {
150 30 15: SEQUENCE {
152 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
157 13 8: PrintableString 'netscape'
: }
: }
167 31 33: SET {
169 30 31: SEQUENCE {
171 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
176 13 24: PrintableString 'pc614451.red.iplanet.com'
: }
: }
: }
202 30 92: SEQUENCE {
204 30 13: SEQUENCE {
206 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
217 05 0: NULL
: }
219 03 75: BIT STRING 0 unused bits
: 30 48 02 41 00 C3 29 FC DB 45 42 00 91 20 B8 78
: 96 AE 00 51 3E 2A DF DA D3 7D 3E 32 79 89 63 66
: 12 60 15 08 C6 52 AF 12 3D 97 84 11 C7 0F 99 36
: 52 D6 3C E0 4D D7 3E 52 23 9F 79 EE 2C 50 04 74
: 80 EE C3 3F 7F 02 03 01 00 01
: }
296 A3 70: [3] {
298 30 68: SEQUENCE {
300 30 17: SEQUENCE {
302 06 9: OBJECT IDENTIFIER
: netscape-cert-type (2 16 840 1 113730 1 1)
313 04 4: OCTET STRING
: 03 02 06 C0
: }
319 30 31: SEQUENCE {
321 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
326 04 24: OCTET STRING
: 30 16 80 14 AB 64 08 F4 23 F4 D3 56 12 18 1D B0
: 1C E9 1E C7 D1 9E E4 54
: }
352 30 14: SEQUENCE {
354 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
359 01 1: BOOLEAN TRUE
362 04 4: OCTET STRING
: 03 02 05 A0
: }
: }
: }
: }
368 30 13: SEQUENCE {
370 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
381 05 0: NULL
: }
383 03 65: BIT STRING 0 unused bits
: 76 EF D4 FB 7A 25 9A D5 CE 6F AB AC 72 9E 5E 31
: B7 A3 68 5D 45 B3 FD 4D 13 83 C3 32 15 6A 41 91
: 87 36 13 37 DF 21 08 29 69 AA F4 4B 66 14 2C 9F
: 53 3A 8B 08 42 ED 51 40 91 18 47 5A 4D 12 48 70
: }
0 warnings, 0 errors.
0 30 499: SEQUENCE {
4 30 413: SEQUENCE {
8 A0 3: [0] {
10 02 1: INTEGER 2
: }
13 02 2: INTEGER 13824
17 30 13: SEQUENCE {
19 06 9: OBJECT IDENTIFIER
: md5withRSAEncryption (1 2 840 113549 1 1 4)
30 05 0: NULL
: }
32 30 71: SEQUENCE {
34 31 11: SET {
36 30 9: SEQUENCE {
38 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
43 13 2: PrintableString 'US'
: }
: }
47 31 20: SET {
49 30 18: SEQUENCE {
51 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
56 13 11: PrintableString 'dfdfdfdfdfd'
: }
: }
69 31 34: SET {
71 30 32: SEQUENCE {
73 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
78 13 25: PrintableString 'Certificate Manager (xxx)'
: }
: }
: }
105 30 30: SEQUENCE {
107 17 13: UTCTime '010718005722Z'
122 17 13: UTCTime '020718005722Z'
: }
137 30 68: SEQUENCE {
139 31 11: SET {
141 30 9: SEQUENCE {
143 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
148 13 2: PrintableString 'US'
: }
: }
152 31 17: SET {
154 30 15: SEQUENCE {
156 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
161 13 8: PrintableString 'netscape'
: }
: }
171 31 34: SET {
173 30 32: SEQUENCE {
175 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
180 13 25: PrintableString 'Certificate Manager (Sub)'
: }
: }
: }
207 30 92: SEQUENCE {
209 30 13: SEQUENCE {
211 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
222 05 0: NULL
: }
224 03 75: BIT STRING 0 unused bits
: 30 48 02 41 00 BF 9B A7 0F 63 9B B1 19 69 55 2F
: 3E 8E 4B 63 F9 44 53 02 BB BD BC F5 F2 34 6B 00
: 2B E4 D7 5F 14 42 4F 3E B5 C1 6A 8E D6 32 3D ED
: 12 29 63 30 FE 35 74 0D 71 F0 69 10 EC E8 E8 A1
: 2A 4F F7 6A A3 02 03 01 00 01
: }
301 A3 118: [3] {
303 30 116: SEQUENCE {
305 30 14: SEQUENCE {
307 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
312 01 1: BOOLEAN TRUE
315 04 4: OCTET STRING
: 03 02 01 86
: }
321 30 17: SEQUENCE {
323 06 9: OBJECT IDENTIFIER
: netscape-cert-type (2 16 840 1 113730 1 1)
334 04 4: OCTET STRING
: 03 02 00 87
: }
340 30 29: SEQUENCE {
342 06 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
347 04 22: OCTET STRING
: 04 14 AB 64 08 F4 23 F4 D3 56 12 18 1D B0 1C E9
: 1E C7 D1 9E E4 54
: }
371 30 31: SEQUENCE {
373 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
378 04 24: OCTET STRING
: 30 16 80 14 E0 72 9A 04 73 96 64 85 55 78 30 3E
: DB C6 4C 05 34 23 EC 30
: }
404 30 15: SEQUENCE {
406 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
411 01 1: BOOLEAN TRUE
414 04 5: OCTET STRING
: 30 03 01 01 FF
: }
: }
: }
: }
421 30 13: SEQUENCE {
423 06 9: OBJECT IDENTIFIER md5withRSAEncryption (1 2 840 113549 1 1 4)
434 05 0: NULL
: }
436 03 65: BIT STRING 0 unused bits
: 6D F2 C3 96 BE 2C 8D 7B 45 25 70 34 2D D3 EF BF
: 9E 28 54 98 AC 20 24 AF 45 9B 8C 5A E9 B4 39 A2
: B3 DC C9 F6 4A 10 0F 36 DF AA E4 38 67 39 02 4A
: 4A 54 7A 92 B1 92 B9 BB C6 A5 23 80 AA 47 C3 FF
: }
0 warnings, 0 errors.
0 30 501: SEQUENCE {
4 30 415: SEQUENCE {
8 A0 3: [0] {
10 02 1: INTEGER 2
: }
13 02 1: INTEGER 1
16 30 13: SEQUENCE {
18 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
29 05 0: NULL
: }
31 30 71: SEQUENCE {
33 31 11: SET {
35 30 9: SEQUENCE {
37 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
42 13 2: PrintableString 'US'
: }
: }
46 31 20: SET {
48 30 18: SEQUENCE {
50 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
55 13 11: PrintableString 'dfdfdfdfdfd'
: }
: }
68 31 34: SET {
70 30 32: SEQUENCE {
72 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
77 13 25: PrintableString 'Certificate Manager (xxx)'
: }
: }
: }
104 30 30: SEQUENCE {
106 17 13: UTCTime '010712070000Z'
121 17 13: UTCTime '030712070000Z'
: }
136 30 71: SEQUENCE {
138 31 11: SET {
140 30 9: SEQUENCE {
142 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
147 13 2: PrintableString 'US'
: }
: }
151 31 20: SET {
153 30 18: SEQUENCE {
155 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
160 13 11: PrintableString 'dfdfdfdfdfd'
: }
: }
173 31 34: SET {
175 30 32: SEQUENCE {
177 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
182 13 25: PrintableString 'Certificate Manager (xxx)'
: }
: }
: }
209 30 92: SEQUENCE {
211 30 13: SEQUENCE {
213 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
224 05 0: NULL
: }
226 03 75: BIT STRING 0 unused bits
: 30 48 02 41 00 C6 E3 DC 6E 2D E7 51 63 77 59 69
: 15 EB 21 BA 1E 2F 4A C2 4A 90 F7 B4 B9 8A 57 25
: C0 7E FB 56 62 CD F0 68 B6 97 FB 61 42 3C 15 8B
: 11 09 D7 D2 D1 CA 32 55 B2 80 CD 9C 9E 5B 45 52
: EE 2D AD F9 5D 02 03 01 00 01
: }
303 A3 118: [3] {
305 30 116: SEQUENCE {
307 30 17: SEQUENCE {
309 06 9: OBJECT IDENTIFIER
: netscape-cert-type (2 16 840 1 113730 1 1)
320 04 4: OCTET STRING
: 03 02 00 07
: }
326 30 15: SEQUENCE {
328 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
333 01 1: BOOLEAN TRUE
336 04 5: OCTET STRING
: 30 03 01 01 FF
: }
343 30 29: SEQUENCE {
345 06 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
350 04 22: OCTET STRING
: 04 14 E0 72 9A 04 73 96 64 85 55 78 30 3E DB C6
: 4C 05 34 23 EC 30
: }
374 30 31: SEQUENCE {
376 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
381 04 24: OCTET STRING
: 30 16 80 14 E0 72 9A 04 73 96 64 85 55 78 30 3E
: DB C6 4C 05 34 23 EC 30
: }
407 30 14: SEQUENCE {
409 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
414 01 1: BOOLEAN TRUE
417 04 4: OCTET STRING
: 03 02 01 86
: }
: }
: }
: }
423 30 13: SEQUENCE {
425 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
436 05 0: NULL
: }
438 03 65: BIT STRING 0 unused bits
: 0B 6E 96 6E C2 27 1C D4 D6 C8 DE 0C 7B DF 0D A4
: 9D 23 74 35 86 85 FB 64 75 8C D3 77 DB 7B 87 B8
: 2C 95 1A C4 57 01 BF A2 DD CE C5 6A F7 A0 03 22
: 63 E9 1E 74 45 C7 4E 31 29 9C B8 BD F5 E4 86 BD
: }
0 warnings, 0 errors.
|
||
Updated•23 years ago
|
Assignee: ssaux → javi
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → 2.1
|
|
||
Comment 1•23 years ago
|
||
Thomas, can we get the cms server url to replicate and debug? Thanks, P1 t->2.1 ->javi Javi setting to P1 so that you look at it right away. Reprioritize after doing so, if warranted.
|
||
Comment 3•23 years ago
|
||
This seems to work for me. Reporter, can you use the latest branch build to try this?
Hmm, just setup another sub ca, this times it works. https://192.18.121.247:8101 This could be a database corruption thingy. I will reopen this bug if I see it again. For now, close as invalid.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
Also, I am using the latest build (07-20) now. Maybe this helps.
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•