Re: ca cert questions (was Re: Dumb SSL question)
On 2 Apr 2002, jon schatz wrote: > we had not chose to trust). geotrust had me install a CA cert on the > server and use 'SSLCACertificateFile' to point to it. magically, ie then > trusted the certificate. so why does this work? i mean, why can't i > start forging ssl certificates that are trusted by my own ca files that > i host locally? do browsers do any verification of ca files served up by > remote machines? feel free to point me to documentation on this one... The difference is that the CA certificate they would have had you install (a) is signed by a CA that the browser *does* trust and (b) contains a flag saying "this certificate may be used to sign other certificates." SSLCertificateChainFile (and SSLCACertificateFile in this case) is all about establishing a chain of trust back to some entity (a root CA) that the browser does trust. Take a look at the CA certificate they gave you... it will have been signed by some root CA (is Thawte the only one that actually provides this service? Maybe Verisign does, I don't know.), and you'll see the special capabilities flags in there as well. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Dumb SSL question.
"Ladner, Eric (Eric.Ladner)" <[EMAIL PROTECTED]> writes: > Oops.. I finally found this info in the mailing list. > > I still have a question though.. > > What mechanism is it that will allow an encrypted communication (a > connection to the https side of the web server) without popping up > the View/Accept/Whatever dialog for the certificate? > > Is there a validation done between on the client to the issuer of > the certificat and it's just accepted if the certificate is validated? > (i.e. the cert is validated with verisign, or whoever, and is just > accepted if everything checks out ok). Believe it or not, this is how things are SUPPOSED to work. If the certificate is a valid certificate (descends from a trusted root, not on a CRL, etc.) and has the correct name then you get connected without any dialog (or maybe a "you are about to enter a secure connection" dialog). It's only if something is wrong that you get a pop-up. It's a sad testament to how often things are wrong that people consider the pop-up the normal state of affairs. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca cert questions (was Re: Dumb SSL question)
On Tue, 2002-04-02 at 13:50, Ladner, Eric (Eric.Ladner) wrote: > What mechanism is it that will allow an encrypted communication (a > connection to the https side of the web server) without popping up > the View/Accept/Whatever dialog for the certificate? All that's required is a valid cert ( valid date, correct servername) signed by a valid CA (installed on your web browser or on the remote server). which brings me to my question: my company purchased a cert from geotrust. initially, we couldn't make the cert work (we got ie dialog saying that the cert was from a company we had not chose to trust). geotrust had me install a CA cert on the server and use 'SSLCACertificateFile' to point to it. magically, ie then trusted the certificate. so why does this work? i mean, why can't i start forging ssl certificates that are trusted by my own ca files that i host locally? do browsers do any verification of ca files served up by remote machines? feel free to point me to documentation on this one... -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing." signature.asc Description: This is a digitally signed message part
RE: Dumb SSL question.
Oops.. I finally found this info in the mailing list. I still have a question though.. What mechanism is it that will allow an encrypted communication (a connection to the https side of the web server) without popping up the View/Accept/Whatever dialog for the certificate? Is there a validation done between on the client to the issuer of the certificat and it's just accepted if the certificate is validated? (i.e. the cert is validated with verisign, or whoever, and is just accepted if everything checks out ok). Thanks, Eric "I should search the archives better" Ladner -Original Message- From: Ladner, Eric (Eric.Ladner) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 2:23 PM To: '[EMAIL PROTECTED]' Subject: Dumb SSL question. How can I enable mod_ssl and apache to use SSL encryption for browser to server communication without having to have the user accept a certificate? I've noticed several sites do this on the web without asking for you to accept or reject a certificate. Basically, I want to use encryption, but not have the user intervene to enable/disable it. Thanks, Eric Ladner __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Dumb SSL question.
Eric Ladner wrote RE:>>Basically, I want to use encryption, but not have the user intervene to enable/disable it. -- In IE 5.5; Tools, Internet Options, Security, Custom Level... Enable "Don't prompt for Client Certificate..." (or is it "Disable" -- it's a double negative and I always had trouble with those... :-) Don't know if this will help but it SEEMS like it could address your question from the client side. Good luck! Andrew Lietzow The ACL Group, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: Dumb SSL question.
Hi Eric, For example you can buy a certificate from Thawte (www.thawte.com) or Verisign (www.verisign.com) I hope, this was helpful. Rgds, Peter Stoehr GAYNET.AT -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Ladner, Eric (Eric.Ladner) Gesendet: Dienstag, 02. April 2002 22:23 An: '[EMAIL PROTECTED]' Betreff: Dumb SSL question. How can I enable mod_ssl and apache to use SSL encryption for browser to server communication without having to have the user accept a certificate? I've noticed several sites do this on the web without asking for you to accept or reject a certificate. Basically, I want to use encryption, but not have the user intervene to enable/disable it. Thanks, Eric Ladner __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Dumb SSL question.
How can I enable mod_ssl and apache to use SSL encryption for browser to server communication without having to have the user accept a certificate? I've noticed several sites do this on the web without asking for you to accept or reject a certificate. Basically, I want to use encryption, but not have the user intervene to enable/disable it. Thanks, Eric Ladner __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]