Peter Sylvester wrote, in part: >There is a difference between what you must set and what you must
>verify. 5280/3280 is clear (IMO) about that. >when you verify a cert, AND you know about the extension, you just >verify the extension and don't care about the critical bit >Since the error message seems to indicate that the extension is known, >the verifier has no reason to checjk the criticality bit. By "when you verify a cert" you mean gsk, and that it shouldn't care about the critical bit? >>The fix was to update the root certificate used by the server to add >>the required Critical value for Basic Constraints (henceforth "BC" as >>a shorthand). >The RFC path validation does not usea selfsignedroot certificate. The >only necessary thing for an implementation is to have an association >between a subject an a public key. >A self signed cert is just handy. >>This happened again here this week when a certificate was updated >>(someone used the wrong internal CA, which was old). Once we got it >>straightened out, I started wondering why this only happened once we >>added TLSv1.3 support. Some reading of RFC5280 (which obsoleted 3280) >>suggests that a PKIX-compliant certificate should ALWAYS be rejected >>if not BC. But this doesn't seem to be true until we add the TLSv1.3 >>support. what is suggesting this? If by "this" you mean "what is suggesting 'But this doesn't seem to be true until we add the TLSv1.3 support'" then it's that the old version, which doesn't do TLSv1.3, didn't get the BC error with the same cert. >SNI is used to identify a server, and in particular, the cert (chain) >to be presented to the client. Right, I know.I was just noting that this was another change between versions, in case there was some interaction. >Does you product work with TLS 1.2? Yes. Has for years. Both old and new versions. So to recap, my perception is that if the client doesn't say "I can do TLSv1.3", BC doesn't matter; if it does say so, BC matters. I feel dense, but I'm not sure what to conclude from what you wrote-whether you're suggesting that gsk is doing something wrong or not. Or maybe you hadn't presented a conclusion yet, pending my answers above! Appreciate the input, hoping for more. .phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
