PSM cannot access CMS's agent page if it is a subordinate CA

VERIFIED INVALID

Status

Core Graveyard
Security: UI
P1
normal
VERIFIED INVALID
17 years ago
a year ago

People

(Reporter: thomask, Assigned: Javier Delgadillo)

Tracking

1.0 Branch
psm2.1
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

17 years ago
I have setup a CMS4.2SP2, and have installed NS6.1PR1.

I have a root CA, and a subordinate CA. When NS6.1PR1 is used to access
the subordinate CA agent's page, it fails. 

(Note that if I use PSM1.4 (an older version), this works and I can access
the agent page without problem)

I used SSLtap to debug, and got the following:

C:\netscape\Server4\bin\cert\tools>ssltap -sl localhost:9101
Looking up "localhost"...
Proxy socket ready and listening
Connection #1 [Wed Jul 18 17:58:17 2001]
Connected to localhost:9101
--> [
alloclen = 72 bytes
(72 bytes of 72)
 [Wed Jul 18 17:58:17 2001] [ssl2]  ClientHelloV2 {
           version = {0x03, 0x00}
           cipher-specs-length = 45 (0x2d)
           sid-length = 0 (0x00)
           challenge-length = 16 (0x10)
           cipher-suites = {
                (0x010080) SSL2/RSA/RC4-128/MD5
                (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
                (0x030080) SSL2/RSA/RC2CBC128/MD5
                (0x060040) SSL2/RSA/DES56-CBC/MD5
                (0x020080) SSL2/RSA/RC4-40/MD5
                (0x040080) SSL2/RSA/RC2CBC40/MD5
                (0x000004) SSL3/RSA/RC4-128/MD5
                (0x00feff) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0x00fefe) SSL3/RSA-FIPS/DES56-CBC/SHA
                (0x000009) SSL3/RSA/DES56-CBC/SHA
                (0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA
                (0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA
                (0x000003) SSL3/RSA/RC4-40/MD5
                (0x000006) SSL3/RSA/RC2CBC40/MD5
                }
           session-id = { }
           challenge = { 0xd89a 0x82f4 0x5988 0x9dad 0x8b1c 0xb546 0xc137 0x0d44
 }
}
]
<-- [
(1557 bytes of 1552)
SSLRecord { [Wed Jul 18 17:58:17 2001]
   type    = 22 (handshake)
   version = { 3,0 }
   length  = 1552 (0x610)
   handshake {
      type = 2 (server_hello)
      length = 70 (0x000046)
         ServerHello {
            server_version = {3, 0}
            random = {...}
            session ID = {
                length = 32
                contents = {..}
            }
            cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
         }
      type = 11 (certificate)
      length = 1470 (0x0005be)
         CertificateChain {
            chainlength = 1467 (0x05bb)
            Certificate {
               size = 450 (0x01c2)
               data = { saved in file 'cert.001' }
            }
            Certificate {
               size = 503 (0x01f7)
               data = { saved in file 'cert.002' }
            }
            Certificate {
               size = 505 (0x01f9)
               data = { saved in file 'cert.003' }
            }
         }
      type = 14 (server_hello_done)
      length = 0 (0x000000)
   }
}
]
--> [
(7 bytes of 2)
SSLRecord { [Wed Jul 18 17:58:17 2001]
   type    = 21 (alert)
   version = { 3,0 }
   length  = 2 (0x2)
   fatal: bad certificate
}
]

The output of the server certificates are:

   0 30  446: SEQUENCE {
   4 30  360:   SEQUENCE {
   8 A0    3:     [0] {
  10 02    1:       INTEGER 2
            :       }
  13 02    1:     INTEGER 2
  16 30   13:     SEQUENCE {
  18 06    9:       OBJECT IDENTIFIER
            :         sha1withRSAEncryption (1 2 840 113549 1 1 5)
  29 05    0:       NULL
            :       }
  31 30   68:     SEQUENCE {
  33 31   11:       SET {
  35 30    9:         SEQUENCE {
  37 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
  42 13    2:           PrintableString 'US'
            :           }
            :         }
  46 31   17:       SET {
  48 30   15:         SEQUENCE {
  50 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
  55 13    8:           PrintableString 'netscape'
            :           }
            :         }
  65 31   34:       SET {
  67 30   32:         SEQUENCE {
  69 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  74 13   25:           PrintableString 'Certificate Manager (Sub)'
            :           }
            :         }
            :       }
 101 30   30:     SEQUENCE {
 103 17   13:       UTCTime '010717070000Z'
 118 17   13:       UTCTime '030717070000Z'
            :       }
 133 30   67:     SEQUENCE {
 135 31   11:       SET {
 137 30    9:         SEQUENCE {
 139 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 144 13    2:           PrintableString 'US'
            :           }
            :         }
 148 31   17:       SET {
 150 30   15:         SEQUENCE {
 152 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 157 13    8:           PrintableString 'netscape'
            :           }
            :         }
 167 31   33:       SET {
 169 30   31:         SEQUENCE {
 171 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 176 13   24:           PrintableString 'pc614451.red.iplanet.com'
            :           }
            :         }
            :       }
 202 30   92:     SEQUENCE {
 204 30   13:       SEQUENCE {
 206 06    9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
 217 05    0:         NULL
            :         }
 219 03   75:       BIT STRING 0 unused bits
            :         30 48 02 41 00 C3 29 FC DB 45 42 00 91 20 B8 78
            :         96 AE 00 51 3E 2A DF DA D3 7D 3E 32 79 89 63 66
            :         12 60 15 08 C6 52 AF 12 3D 97 84 11 C7 0F 99 36
            :         52 D6 3C E0 4D D7 3E 52 23 9F 79 EE 2C 50 04 74
            :         80 EE C3 3F 7F 02 03 01 00 01
            :       }
 296 A3   70:     [3] {
 298 30   68:       SEQUENCE {
 300 30   17:         SEQUENCE {
 302 06    9:           OBJECT IDENTIFIER
            :             netscape-cert-type (2 16 840 1 113730 1 1)
 313 04    4:           OCTET STRING
            :             03 02 06 C0
            :           }
 319 30   31:         SEQUENCE {
 321 06    3:           OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
 326 04   24:           OCTET STRING
            :             30 16 80 14 AB 64 08 F4 23 F4 D3 56 12 18 1D B0
            :             1C E9 1E C7 D1 9E E4 54
            :           }
 352 30   14:         SEQUENCE {
 354 06    3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
 359 01    1:           BOOLEAN TRUE
 362 04    4:           OCTET STRING
            :             03 02 05 A0
            :           }
            :         }
            :       }
            :     }
 368 30   13:   SEQUENCE {
 370 06    9:     OBJECT IDENTIFIER
            :       sha1withRSAEncryption (1 2 840 113549 1 1 5)
 381 05    0:     NULL
            :     }
 383 03   65:   BIT STRING 0 unused bits
            :     76 EF D4 FB 7A 25 9A D5 CE 6F AB AC 72 9E 5E 31
            :     B7 A3 68 5D 45 B3 FD 4D 13 83 C3 32 15 6A 41 91
            :     87 36 13 37 DF 21 08 29 69 AA F4 4B 66 14 2C 9F
            :     53 3A 8B 08 42 ED 51 40 91 18 47 5A 4D 12 48 70
            :   }

0 warnings, 0 errors.

   0 30  499: SEQUENCE {
   4 30  413:   SEQUENCE {
   8 A0    3:     [0] {
  10 02    1:       INTEGER 2
            :       }
  13 02    2:     INTEGER 13824
  17 30   13:     SEQUENCE {
  19 06    9:       OBJECT IDENTIFIER
            :         md5withRSAEncryption (1 2 840 113549 1 1 4)
  30 05    0:       NULL
            :       }
  32 30   71:     SEQUENCE {
  34 31   11:       SET {
  36 30    9:         SEQUENCE {
  38 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
  43 13    2:           PrintableString 'US'
            :           }
            :         }
  47 31   20:       SET {
  49 30   18:         SEQUENCE {
  51 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
  56 13   11:           PrintableString 'dfdfdfdfdfd'
            :           }
            :         }
  69 31   34:       SET {
  71 30   32:         SEQUENCE {
  73 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  78 13   25:           PrintableString 'Certificate Manager (xxx)'
            :           }
            :         }
            :       }
 105 30   30:     SEQUENCE {
 107 17   13:       UTCTime '010718005722Z'
 122 17   13:       UTCTime '020718005722Z'
            :       }
 137 30   68:     SEQUENCE {
 139 31   11:       SET {
 141 30    9:         SEQUENCE {
 143 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 148 13    2:           PrintableString 'US'
            :           }
            :         }
 152 31   17:       SET {
 154 30   15:         SEQUENCE {
 156 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 161 13    8:           PrintableString 'netscape'
            :           }
            :         }
 171 31   34:       SET {
 173 30   32:         SEQUENCE {
 175 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 180 13   25:           PrintableString 'Certificate Manager (Sub)'
            :           }
            :         }
            :       }
 207 30   92:     SEQUENCE {
 209 30   13:       SEQUENCE {
 211 06    9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
 222 05    0:         NULL
            :         }
 224 03   75:       BIT STRING 0 unused bits
            :         30 48 02 41 00 BF 9B A7 0F 63 9B B1 19 69 55 2F
            :         3E 8E 4B 63 F9 44 53 02 BB BD BC F5 F2 34 6B 00
            :         2B E4 D7 5F 14 42 4F 3E B5 C1 6A 8E D6 32 3D ED
            :         12 29 63 30 FE 35 74 0D 71 F0 69 10 EC E8 E8 A1
            :         2A 4F F7 6A A3 02 03 01 00 01
            :       }
 301 A3  118:     [3] {
 303 30  116:       SEQUENCE {
 305 30   14:         SEQUENCE {
 307 06    3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
 312 01    1:           BOOLEAN TRUE
 315 04    4:           OCTET STRING
            :             03 02 01 86
            :           }
 321 30   17:         SEQUENCE {
 323 06    9:           OBJECT IDENTIFIER
            :             netscape-cert-type (2 16 840 1 113730 1 1)
 334 04    4:           OCTET STRING
            :             03 02 00 87
            :           }
 340 30   29:         SEQUENCE {
 342 06    3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
 347 04   22:           OCTET STRING
            :             04 14 AB 64 08 F4 23 F4 D3 56 12 18 1D B0 1C E9
            :             1E C7 D1 9E E4 54
            :           }
 371 30   31:         SEQUENCE {
 373 06    3:           OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
 378 04   24:           OCTET STRING
            :             30 16 80 14 E0 72 9A 04 73 96 64 85 55 78 30 3E
            :             DB C6 4C 05 34 23 EC 30
            :           }
 404 30   15:         SEQUENCE {
 406 06    3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
 411 01    1:           BOOLEAN TRUE
 414 04    5:           OCTET STRING
            :             30 03 01 01 FF
            :           }
            :         }
            :       }
            :     }
 421 30   13:   SEQUENCE {
 423 06    9:     OBJECT IDENTIFIER md5withRSAEncryption (1 2 840 113549 1 1 4)
 434 05    0:     NULL
            :     }
 436 03   65:   BIT STRING 0 unused bits
            :     6D F2 C3 96 BE 2C 8D 7B 45 25 70 34 2D D3 EF BF
            :     9E 28 54 98 AC 20 24 AF 45 9B 8C 5A E9 B4 39 A2
            :     B3 DC C9 F6 4A 10 0F 36 DF AA E4 38 67 39 02 4A
            :     4A 54 7A 92 B1 92 B9 BB C6 A5 23 80 AA 47 C3 FF
            :   }

0 warnings, 0 errors.

   0 30  501: SEQUENCE {
   4 30  415:   SEQUENCE {
   8 A0    3:     [0] {
  10 02    1:       INTEGER 2
            :       }
  13 02    1:     INTEGER 1
  16 30   13:     SEQUENCE {
  18 06    9:       OBJECT IDENTIFIER
            :         sha1withRSAEncryption (1 2 840 113549 1 1 5)
  29 05    0:       NULL
            :       }
  31 30   71:     SEQUENCE {
  33 31   11:       SET {
  35 30    9:         SEQUENCE {
  37 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
  42 13    2:           PrintableString 'US'
            :           }
            :         }
  46 31   20:       SET {
  48 30   18:         SEQUENCE {
  50 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
  55 13   11:           PrintableString 'dfdfdfdfdfd'
            :           }
            :         }
  68 31   34:       SET {
  70 30   32:         SEQUENCE {
  72 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  77 13   25:           PrintableString 'Certificate Manager (xxx)'
            :           }
            :         }
            :       }
 104 30   30:     SEQUENCE {
 106 17   13:       UTCTime '010712070000Z'
 121 17   13:       UTCTime '030712070000Z'
            :       }
 136 30   71:     SEQUENCE {
 138 31   11:       SET {
 140 30    9:         SEQUENCE {
 142 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 147 13    2:           PrintableString 'US'
            :           }
            :         }
 151 31   20:       SET {
 153 30   18:         SEQUENCE {
 155 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 160 13   11:           PrintableString 'dfdfdfdfdfd'
            :           }
            :         }
 173 31   34:       SET {
 175 30   32:         SEQUENCE {
 177 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 182 13   25:           PrintableString 'Certificate Manager (xxx)'
            :           }
            :         }
            :       }
 209 30   92:     SEQUENCE {
 211 30   13:       SEQUENCE {
 213 06    9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
 224 05    0:         NULL
            :         }
 226 03   75:       BIT STRING 0 unused bits
            :         30 48 02 41 00 C6 E3 DC 6E 2D E7 51 63 77 59 69
            :         15 EB 21 BA 1E 2F 4A C2 4A 90 F7 B4 B9 8A 57 25
            :         C0 7E FB 56 62 CD F0 68 B6 97 FB 61 42 3C 15 8B
            :         11 09 D7 D2 D1 CA 32 55 B2 80 CD 9C 9E 5B 45 52
            :         EE 2D AD F9 5D 02 03 01 00 01
            :       }
 303 A3  118:     [3] {
 305 30  116:       SEQUENCE {
 307 30   17:         SEQUENCE {
 309 06    9:           OBJECT IDENTIFIER
            :             netscape-cert-type (2 16 840 1 113730 1 1)
 320 04    4:           OCTET STRING
            :             03 02 00 07
            :           }
 326 30   15:         SEQUENCE {
 328 06    3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
 333 01    1:           BOOLEAN TRUE
 336 04    5:           OCTET STRING
            :             30 03 01 01 FF
            :           }
 343 30   29:         SEQUENCE {
 345 06    3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
 350 04   22:           OCTET STRING
            :             04 14 E0 72 9A 04 73 96 64 85 55 78 30 3E DB C6
            :             4C 05 34 23 EC 30
            :           }
 374 30   31:         SEQUENCE {
 376 06    3:           OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
 381 04   24:           OCTET STRING
            :             30 16 80 14 E0 72 9A 04 73 96 64 85 55 78 30 3E
            :             DB C6 4C 05 34 23 EC 30
            :           }
 407 30   14:         SEQUENCE {
 409 06    3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
 414 01    1:           BOOLEAN TRUE
 417 04    4:           OCTET STRING
            :             03 02 01 86
            :           }
            :         }
            :       }
            :     }
 423 30   13:   SEQUENCE {
 425 06    9:     OBJECT IDENTIFIER
            :       sha1withRSAEncryption (1 2 840 113549 1 1 5)
 436 05    0:     NULL
            :     }
 438 03   65:   BIT STRING 0 unused bits
            :     0B 6E 96 6E C2 27 1C D4 D6 C8 DE 0C 7B DF 0D A4
            :     9D 23 74 35 86 85 FB 64 75 8C D3 77 DB 7B 87 B8
            :     2C 95 1A C4 57 01 BF A2 DD CE C5 6A F7 A0 03 22
            :     63 E9 1E 74 45 C7 4E 31 29 9C B8 BD F5 E4 86 BD
            :   }

0 warnings, 0 errors.

Updated

17 years ago
Assignee: ssaux → javi
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → 2.1

Comment 1

17 years ago
Thomas, can we get the cms server url to replicate and debug?
Thanks,
P1
t->2.1
->javi
Javi setting to P1 so that you look at it right away. Reprioritize after doing
so, if warranted.
(Reporter)

Comment 2

17 years ago
http://192.18.121.247:1024/GetCAChain.html

Comment 3

17 years ago
This seems to work for me. Reporter, can you use the latest branch build to try 
this?
(Reporter)

Comment 4

17 years ago
Hmm, just setup another sub ca, this times it works.

https://192.18.121.247:8101

This could be a database corruption thingy. I will reopen this bug
if I see it again. For now, close as invalid.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → INVALID
(Reporter)

Comment 5

17 years ago
Also, I am using the latest build (07-20) now. Maybe this helps.

Comment 6

17 years ago
Verified invalid per reporter's comment.
Status: RESOLVED → VERIFIED

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

10 years ago
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.