On Fri, Aug 22, 2003, Charles B Cranston wrote:
Well, the sad answer to this question is yes. It turns out that in the design of SSL the client does the verification, so each client has its own little set of peccadillos.
Indeed but if the OP means that you need a different server certificate for each browser then the answer is no: the requirements aren't mutually exclusive.
Agreed, we were able to eventually arrive at an architecture that seems to work for all our usages, both client and server.
These are some of the ones we found: Netscape 4 will not tolerate an ExtendedKeyUsage extension.
Hmmm. What makes you think that? EKU is *required* to handle "step up" (aka SGC, magic, 128 bit [yuck]) and Netscape 4 handled that.
Hello Steve!
Based on a dialog that came up that said "unknown critical extension" when I had a critical EKU extension and that dialog not coming up when I made it a noncritical extension or left it out entirely. I don't think this had anything to do with stepup, but correct me if I'm missing something.
You might look at what kind of extensions are included.
The documentation for the extensions is in a docs directory of the OpenSSL source and it is something innocuous like openssl.txt or something like that. Also, read the man page on the openssl.cnf file format.
Its doc/openssl.txt and this is referenced in the FAQ.
It's "man config" for the openssl.cnf file format. My experience is that the comments in the distributed file add greatly to the documentation so both should be read.
It shouldn't be necessary to alter the default extensions for a simple SSL server certificate.
Yes, I believe this to be the case, but note that software rot might affect this. We have some Java client code that REQUIRES a BasicConstraints extension, for example, and while I believe the distributed cnf does put one in, in slight violation of PKIX/RFC3380 (and this is well and truly disclosed and documented in the commentary!) it may someday come to pass that some client requires something above and beyond.
Wasn't there a case in the last two months on this list where somebody was trying to generate a certificate for an HP printer or printer server and it needed some specific certificate usage extension bits???
Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
