Closed Bug 91413 Opened 24 years ago Closed 24 years ago

PSM cannot access CMS's agent page if it is a subordinate CA

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED INVALID
Milestone:
psm2.1

People

(Reporter: thomask, Assigned: javi)

Details

I have setup a CMS4.2SP2, and have installed NS6.1PR1. I have a root CA, and a subordinate CA. When NS6.1PR1 is used to access the subordinate CA agent's page, it fails. (Note that if I use PSM1.4 (an older version), this works and I can access the agent page without problem) I used SSLtap to debug, and got the following: C:\netscape\Server4\bin\cert\tools>ssltap -sl localhost:9101 Looking up "localhost"... Proxy socket ready and listening Connection #1 [Wed Jul 18 17:58:17 2001] Connected to localhost:9101 --> [ alloclen = 72 bytes (72 bytes of 72) [Wed Jul 18 17:58:17 2001] [ssl2] ClientHelloV2 { version = {0x03, 0x00} cipher-specs-length = 45 (0x2d) sid-length = 0 (0x00) challenge-length = 16 (0x10) cipher-suites = { (0x010080) SSL2/RSA/RC4-128/MD5 (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x000004) SSL3/RSA/RC4-128/MD5 (0x00feff) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x00fefe) SSL3/RSA-FIPS/DES56-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA (0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA (0x000003) SSL3/RSA/RC4-40/MD5 (0x000006) SSL3/RSA/RC2CBC40/MD5 } session-id = { } challenge = { 0xd89a 0x82f4 0x5988 0x9dad 0x8b1c 0xb546 0xc137 0x0d44 } } ] <-- [ (1557 bytes of 1552) SSLRecord { [Wed Jul 18 17:58:17 2001] type = 22 (handshake) version = { 3,0 } length = 1552 (0x610) handshake { type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 0} random = {...} session ID = { length = 32 contents = {..} } cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 } type = 11 (certificate) length = 1470 (0x0005be) CertificateChain { chainlength = 1467 (0x05bb) Certificate { size = 450 (0x01c2) data = { saved in file 'cert.001' } } Certificate { size = 503 (0x01f7) data = { saved in file 'cert.002' } } Certificate { size = 505 (0x01f9) data = { saved in file 'cert.003' } } } type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (7 bytes of 2) SSLRecord { [Wed Jul 18 17:58:17 2001] type = 21 (alert) version = { 3,0 } length = 2 (0x2) fatal: bad certificate } ] The output of the server certificates are: 0 30 446: SEQUENCE { 4 30 360: SEQUENCE { 8 A0 3: [0] { 10 02 1: INTEGER 2 : } 13 02 1: INTEGER 2 16 30 13: SEQUENCE { 18 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 29 05 0: NULL : } 31 30 68: SEQUENCE { 33 31 11: SET { 35 30 9: SEQUENCE { 37 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 42 13 2: PrintableString 'US' : } : } 46 31 17: SET { 48 30 15: SEQUENCE { 50 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 55 13 8: PrintableString 'netscape' : } : } 65 31 34: SET { 67 30 32: SEQUENCE { 69 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 74 13 25: PrintableString 'Certificate Manager (Sub)' : } : } : } 101 30 30: SEQUENCE { 103 17 13: UTCTime '010717070000Z' 118 17 13: UTCTime '030717070000Z' : } 133 30 67: SEQUENCE { 135 31 11: SET { 137 30 9: SEQUENCE { 139 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 144 13 2: PrintableString 'US' : } : } 148 31 17: SET { 150 30 15: SEQUENCE { 152 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 157 13 8: PrintableString 'netscape' : } : } 167 31 33: SET { 169 30 31: SEQUENCE { 171 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 176 13 24: PrintableString 'pc614451.red.iplanet.com' : } : } : } 202 30 92: SEQUENCE { 204 30 13: SEQUENCE { 206 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 217 05 0: NULL : } 219 03 75: BIT STRING 0 unused bits : 30 48 02 41 00 C3 29 FC DB 45 42 00 91 20 B8 78 : 96 AE 00 51 3E 2A DF DA D3 7D 3E 32 79 89 63 66 : 12 60 15 08 C6 52 AF 12 3D 97 84 11 C7 0F 99 36 : 52 D6 3C E0 4D D7 3E 52 23 9F 79 EE 2C 50 04 74 : 80 EE C3 3F 7F 02 03 01 00 01 : } 296 A3 70: [3] { 298 30 68: SEQUENCE { 300 30 17: SEQUENCE { 302 06 9: OBJECT IDENTIFIER : netscape-cert-type (2 16 840 1 113730 1 1) 313 04 4: OCTET STRING : 03 02 06 C0 : } 319 30 31: SEQUENCE { 321 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 326 04 24: OCTET STRING : 30 16 80 14 AB 64 08 F4 23 F4 D3 56 12 18 1D B0 : 1C E9 1E C7 D1 9E E4 54 : } 352 30 14: SEQUENCE { 354 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 359 01 1: BOOLEAN TRUE 362 04 4: OCTET STRING : 03 02 05 A0 : } : } : } : } 368 30 13: SEQUENCE { 370 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 381 05 0: NULL : } 383 03 65: BIT STRING 0 unused bits : 76 EF D4 FB 7A 25 9A D5 CE 6F AB AC 72 9E 5E 31 : B7 A3 68 5D 45 B3 FD 4D 13 83 C3 32 15 6A 41 91 : 87 36 13 37 DF 21 08 29 69 AA F4 4B 66 14 2C 9F : 53 3A 8B 08 42 ED 51 40 91 18 47 5A 4D 12 48 70 : } 0 warnings, 0 errors. 0 30 499: SEQUENCE { 4 30 413: SEQUENCE { 8 A0 3: [0] { 10 02 1: INTEGER 2 : } 13 02 2: INTEGER 13824 17 30 13: SEQUENCE { 19 06 9: OBJECT IDENTIFIER : md5withRSAEncryption (1 2 840 113549 1 1 4) 30 05 0: NULL : } 32 30 71: SEQUENCE { 34 31 11: SET { 36 30 9: SEQUENCE { 38 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 43 13 2: PrintableString 'US' : } : } 47 31 20: SET { 49 30 18: SEQUENCE { 51 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 56 13 11: PrintableString 'dfdfdfdfdfd' : } : } 69 31 34: SET { 71 30 32: SEQUENCE { 73 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 78 13 25: PrintableString 'Certificate Manager (xxx)' : } : } : } 105 30 30: SEQUENCE { 107 17 13: UTCTime '010718005722Z' 122 17 13: UTCTime '020718005722Z' : } 137 30 68: SEQUENCE { 139 31 11: SET { 141 30 9: SEQUENCE { 143 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 148 13 2: PrintableString 'US' : } : } 152 31 17: SET { 154 30 15: SEQUENCE { 156 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 161 13 8: PrintableString 'netscape' : } : } 171 31 34: SET { 173 30 32: SEQUENCE { 175 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 180 13 25: PrintableString 'Certificate Manager (Sub)' : } : } : } 207 30 92: SEQUENCE { 209 30 13: SEQUENCE { 211 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 222 05 0: NULL : } 224 03 75: BIT STRING 0 unused bits : 30 48 02 41 00 BF 9B A7 0F 63 9B B1 19 69 55 2F : 3E 8E 4B 63 F9 44 53 02 BB BD BC F5 F2 34 6B 00 : 2B E4 D7 5F 14 42 4F 3E B5 C1 6A 8E D6 32 3D ED : 12 29 63 30 FE 35 74 0D 71 F0 69 10 EC E8 E8 A1 : 2A 4F F7 6A A3 02 03 01 00 01 : } 301 A3 118: [3] { 303 30 116: SEQUENCE { 305 30 14: SEQUENCE { 307 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 312 01 1: BOOLEAN TRUE 315 04 4: OCTET STRING : 03 02 01 86 : } 321 30 17: SEQUENCE { 323 06 9: OBJECT IDENTIFIER : netscape-cert-type (2 16 840 1 113730 1 1) 334 04 4: OCTET STRING : 03 02 00 87 : } 340 30 29: SEQUENCE { 342 06 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 347 04 22: OCTET STRING : 04 14 AB 64 08 F4 23 F4 D3 56 12 18 1D B0 1C E9 : 1E C7 D1 9E E4 54 : } 371 30 31: SEQUENCE { 373 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 378 04 24: OCTET STRING : 30 16 80 14 E0 72 9A 04 73 96 64 85 55 78 30 3E : DB C6 4C 05 34 23 EC 30 : } 404 30 15: SEQUENCE { 406 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 411 01 1: BOOLEAN TRUE 414 04 5: OCTET STRING : 30 03 01 01 FF : } : } : } : } 421 30 13: SEQUENCE { 423 06 9: OBJECT IDENTIFIER md5withRSAEncryption (1 2 840 113549 1 1 4) 434 05 0: NULL : } 436 03 65: BIT STRING 0 unused bits : 6D F2 C3 96 BE 2C 8D 7B 45 25 70 34 2D D3 EF BF : 9E 28 54 98 AC 20 24 AF 45 9B 8C 5A E9 B4 39 A2 : B3 DC C9 F6 4A 10 0F 36 DF AA E4 38 67 39 02 4A : 4A 54 7A 92 B1 92 B9 BB C6 A5 23 80 AA 47 C3 FF : } 0 warnings, 0 errors. 0 30 501: SEQUENCE { 4 30 415: SEQUENCE { 8 A0 3: [0] { 10 02 1: INTEGER 2 : } 13 02 1: INTEGER 1 16 30 13: SEQUENCE { 18 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 29 05 0: NULL : } 31 30 71: SEQUENCE { 33 31 11: SET { 35 30 9: SEQUENCE { 37 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 42 13 2: PrintableString 'US' : } : } 46 31 20: SET { 48 30 18: SEQUENCE { 50 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 55 13 11: PrintableString 'dfdfdfdfdfd' : } : } 68 31 34: SET { 70 30 32: SEQUENCE { 72 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 77 13 25: PrintableString 'Certificate Manager (xxx)' : } : } : } 104 30 30: SEQUENCE { 106 17 13: UTCTime '010712070000Z' 121 17 13: UTCTime '030712070000Z' : } 136 30 71: SEQUENCE { 138 31 11: SET { 140 30 9: SEQUENCE { 142 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 147 13 2: PrintableString 'US' : } : } 151 31 20: SET { 153 30 18: SEQUENCE { 155 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 160 13 11: PrintableString 'dfdfdfdfdfd' : } : } 173 31 34: SET { 175 30 32: SEQUENCE { 177 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 182 13 25: PrintableString 'Certificate Manager (xxx)' : } : } : } 209 30 92: SEQUENCE { 211 30 13: SEQUENCE { 213 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 224 05 0: NULL : } 226 03 75: BIT STRING 0 unused bits : 30 48 02 41 00 C6 E3 DC 6E 2D E7 51 63 77 59 69 : 15 EB 21 BA 1E 2F 4A C2 4A 90 F7 B4 B9 8A 57 25 : C0 7E FB 56 62 CD F0 68 B6 97 FB 61 42 3C 15 8B : 11 09 D7 D2 D1 CA 32 55 B2 80 CD 9C 9E 5B 45 52 : EE 2D AD F9 5D 02 03 01 00 01 : } 303 A3 118: [3] { 305 30 116: SEQUENCE { 307 30 17: SEQUENCE { 309 06 9: OBJECT IDENTIFIER : netscape-cert-type (2 16 840 1 113730 1 1) 320 04 4: OCTET STRING : 03 02 00 07 : } 326 30 15: SEQUENCE { 328 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 333 01 1: BOOLEAN TRUE 336 04 5: OCTET STRING : 30 03 01 01 FF : } 343 30 29: SEQUENCE { 345 06 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 350 04 22: OCTET STRING : 04 14 E0 72 9A 04 73 96 64 85 55 78 30 3E DB C6 : 4C 05 34 23 EC 30 : } 374 30 31: SEQUENCE { 376 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 381 04 24: OCTET STRING : 30 16 80 14 E0 72 9A 04 73 96 64 85 55 78 30 3E : DB C6 4C 05 34 23 EC 30 : } 407 30 14: SEQUENCE { 409 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 414 01 1: BOOLEAN TRUE 417 04 4: OCTET STRING : 03 02 01 86 : } : } : } : } 423 30 13: SEQUENCE { 425 06 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 436 05 0: NULL : } 438 03 65: BIT STRING 0 unused bits : 0B 6E 96 6E C2 27 1C D4 D6 C8 DE 0C 7B DF 0D A4 : 9D 23 74 35 86 85 FB 64 75 8C D3 77 DB 7B 87 B8 : 2C 95 1A C4 57 01 BF A2 DD CE C5 6A F7 A0 03 22 : 63 E9 1E 74 45 C7 4E 31 29 9C B8 BD F5 E4 86 BD : } 0 warnings, 0 errors.
Assignee: ssaux → javi
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → 2.1
Thomas, can we get the cms server url to replicate and debug? Thanks, P1 t->2.1 ->javi Javi setting to P1 so that you look at it right away. Reprioritize after doing so, if warranted.
This seems to work for me. Reporter, can you use the latest branch build to try this?
Hmm, just setup another sub ca, this times it works. https://192.18.121.247:8101 This could be a database corruption thingy. I will reopen this bug if I see it again. For now, close as invalid.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
Also, I am using the latest build (07-20) now. Maybe this helps.
Verified invalid per reporter's comment.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.