Hi Graeme,
I know for the Moz NSS bug, it is because as part of the SSL negotiation, the server
(or client, doesn't matter) sends its trusted certificates to the peer saying "look
this is my cert" and the peer says "wot? I thought it looked like this?"
But OpenSSL and stuff derived from OpenSSL does not work like this; they may
or may not send intermediate certificates in the negotiation but all that matters
is that the trust chain can be built, which of course they can be either way.
Maybe it's something more obvious. Like CRLs that haven't been refreshed when
you install the 1.21 release. You folk in Glasgow have probably been Good Eggs(tm)
as usual and refreshed your CRLs.
Cheers
--jens
-----Original Message-----
From: Testbed Support for GridPP member institutes on behalf of Graeme Stewart
Sent: Mon 5/19/2008 20:43
To: [log in to unmask]
Subject: Re: New LCG CA release 1.21: breaks site
What I really don't understand is why we would fail - our server
certificates are valid against the old (weak) CA trust chain, or the
new one. So the puzzle is not why we pass, but why others fail.
However, if Jens and Mingchao are also confused then at least I am in
good company...
g
On Mon, May 19, 2008 at 7:15 PM, Ma, M (Mingchao) <[log in to unmask]> wrote:
> I do not understand either, grid service should not be affected at all. 73?
> It seems quite a lot :-( , but we are not alone.
>
> Cheers,
>
> Mingchao
>
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes
>> [mailto:[log in to unmask]] On Behalf Of Jensen, J (Jens)
>> Sent: Monday, May 19, 2008 6:48 PM
>> To: [log in to unmask]
>> Subject: Re: New LCG CA release 1.21: breaks site
>>
>> Ma, M (Mingchao) wrote:
>> > It has been confirmed that SAM tests have updated the CA
>> certificates
>> > by
>> > 2008-05-19 11:57. Sites still failed SAM tests after upgraded?
>> > OSCT-DC will
>> > follow the standard procedure to verify the release of new CA
>> > distribution.
>>
>> Thanks, Mingchao. This is indeed puzzling - why aren't sites
>> that haven't upgraded failing? Why do sites that upgrade fail?
>>
>> Incidentally, my test of EE certs finished this minute, and
>> it has found certificates with dodgy keys. Out of 11605
>> certificates (as of 14 May which was when I fetched the
>> certs), it has found 73 vulnerable keys.
>>
>> --jens
>>
>
|