Re: Root Certificate
- From: "Nathan Herring [MSFT]" <nathanh@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 03:40:41 -0800
On 1/23/06 10:57:08 PM, in article BFFB8043.14F09E%chrisridd@xxxxxxx, "Chris
Ridd" <chrisridd@xxxxxxx> wrote:
> On 24/1/06 2:19, in article BFFACEC7.945AC%nathanh@xxxxxxxxxxxxxxxxxxxx,
> "Nathan Herring [MSFT]" <nathanh@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>> More specifically, the rules are that:
>> 1) You must match the common name in the subject name <OR> you must match a
>> FQDN or IP address found in a subject alternative name extension.
>> 2) If you have a critical Extended Key Usage ( 2 5 29 37 ) extension, then
>> it must list Server Authentication ( 1 3 6 1 5 5 7 3 1 ) as one of its
>> purposes.
>>
>> Given that, we don't have support for comparing IP addresses in subject
>> alternative names. (Yet.) We also have some issues about reporting what kind
>
> I thought the job of comparing the name the user entered to connect to with
> the name in the server's cert was the job of Apple's security framework?
> Apple's tpPolicies.cpp seems to have all this functionality...
>
> <http://darwinsource.opendarwin.org/10.4.4.ppc/libsecurity_apple_x509_tp-248
> 18/lib/tpPolicies.cpp>
>
> (It looks broadly similar to the code in 10.3.)
Yes, Apple has code to do this. We wrote our own implementation back when it
was not obvious that Apple was going to provide one. Sadly, they released
their support about the same time as we did ours, so...
>> I highly suggest taking up the issue with your IT administrator. They should
>> be issuing correct certificates. They can use the "*.foo.com" syntax to be
>> able to match all the hosts in the foo.com domain (though not "a.b.foo.com",
>> for which it would need "*.*.foo.com").
>
> You're right - working around the error shouldn't be necessary.
>
> But experience suggests that an "IT admin" thinks it works with Windows
> clients they won't be keen to do anything to make it work with anything else
> :-(
That said, most of these SSL issues are reproducable in Windows
environments. You should be able to issue an https://subdomain.domain.com in
WinIE 6 and get a similar error when the cert only supports "domain.com". If
it gives an SSL error in WinIE (and/or Safari) and not in Entourage, or vice
versa, it's probably a bug, and should be reported. (At this time, we know
of a small number of such issues.)
I play this It-doesn't-work-on-Windows card a lot at work. As you might
imagine, our IT folks are significantly more interested in supporting
Windows, even when it's theoretically an issue with a platform-neutral
technology such as SSL.
-nh
--
Nathan Herring
MacBU SDE/Development
This posting is provided ³AS IS² with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: Root Certificate
- From: Chris Ridd
- Re: Root Certificate
- References:
- Root Certificate
- From: Kevin Ledgister
- Re: Root Certificate
- From: Chris Ridd
- Re: Root Certificate
- From: Nathan Herring [MSFT]
- Re: Root Certificate
- From: Chris Ridd
- Root Certificate
- Prev by Date: Re: Another GAL problem
- Next by Date: Re: file contact as lastname, firstname format?
- Previous by thread: Re: Root Certificate
- Next by thread: Re: Root Certificate
- Index(es):
Relevant Pages
|
