You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Marko Sacher <ma...@web.de> on 2009/02/10 15:53:16 UTC
certificate problem in firefox 3.05
Hi,
I have a problem with a certificate from a CA. The certificate of the CA is
included by default in FF3. If I call my page I get error:
sec_error_bad_signature: invalid signature.
In other browsers the certificate looks O.K.
My CA tells me to disable SSLv2 and perhaps also weak cyphers. My config is:
<Connector protocol=''HTTP/1.1'' port="443" SSLEnabled="true"
keyAlias="some-time.eu" maxThreads="150" scheme="https"
keystoreFile="~/.keystore" keystorePass="password" secure="true"
clientAuth="false" sslProtocol="TLS" />
Also I think Java in current version does not support SSLv2 no more.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: certificate problem in firefox 3.05
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marko,
On 2/11/2009 10:15 AM, Marko Sacher wrote:
> It is working now!
>
> The problem is solved for me but I think it is still a good idea to make FF3
> accept the certificates I posted before with DSA signature.
Please stick with the bugzilla bug; there appear to be further
explanation questions about what the real bug is.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmTAeUACgkQ9CaO5/Lv0PBKnwCgrfAoRHEnaQr+VVNRefkm92Wi
V5oAn2XJMQS3S/hxpnbi+uImpy3YNv0a
=jCPa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: certificate problem in firefox 3.05
Posted by Marko Sacher <ma...@web.de>.
It is working now!
The first problem seems to be that FF3 has a problem with DSA signature:
https://bugzilla.mozilla.org/show_bug.cgi?id=452712
The second problem was that my installed Java JRE had a keytool which was not
able to combine the option -keyalg RSA and -sigalg SHA1withRSA correctly. It
generated a key but my CA Startcom said MD5 is no valid algorithm. After an
update from JRE 1.5.0.16 to 1.6.0.7 and running the keytool with the following
commands it is finally working now:
1. keytool -genkey -alias some-time -dname "cn=Marko Sacher, ou=some-time,
o=some-time, l=Essen, s=Nordrhein-Westfalen,
c=DE" -keystore .keystore -validity 365 -keyalg RSA -sigalg
SHA1withRSA -keysize 2048
2. keytool -certreq -alias some-time -file
ns.some-time.de.csr -keystore ./.keystore
3. keytool -import -file ca.crt -alias startcom.ca -keystore .keystore
4. keytool -import -alias startcom.ca.sub -file
sub.class2.server.ca.crt -keystore .keystore
5. keytool -import -alias some-time -file
ns.some-time.de.signed.crt -keystore .keystore
Important: alias in command 5 has to be equal to alias in command 1!!!
The problem is solved for me but I think it is still a good idea to make FF3
accept the certificates I posted before with DSA signature.
> Marko,
>
> On 2/11/2009 3:54 AM, Marko Sacher wrote:
> > I think I have the following problem:
> >
> > https://bugzilla.mozilla.org/show_bug.cgi?id=441321
> >
> > I made a report there.
>
> Excellent. Please followup with them (there's already a question about
> your setup from Kaspar Brand.
>
> If/when you find a solution, please post back to the list.
>
> Good luck,
> -chris
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: certificate problem in firefox 3.05
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marko,
On 2/11/2009 3:54 AM, Marko Sacher wrote:
> I think I have the following problem:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=441321
>
> I made a report there.
Excellent. Please followup with them (there's already a question about
your setup from Kaspar Brand.
If/when you find a solution, please post back to the list.
Good luck,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmS2G8ACgkQ9CaO5/Lv0PBfYwCbBcGf6I/2Tm8/HodZjPGGoiSE
6HUAn3esg6G6cHK5VMn6iIvCcrpT4+A+
=K0xe
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: certificate problem in firefox 3.05
Posted by Marko Sacher <ma...@web.de>.
Thank you Chris for your answer,
I think I have the following problem:
https://bugzilla.mozilla.org/show_bug.cgi?id=441321
I made a report there.
> Marko,
>
> On 2/10/2009 9:53 AM, Marko Sacher wrote:
> > I have a problem with a certificate from a CA. The certificate of the CA
> > is included by default in FF3. If I call my page I get error:
> > sec_error_bad_signature: invalid signature.
> > In other browsers the certificate looks O.K.
> > My CA tells me to disable SSLv2 and perhaps also weak cyphers. My config
> > is: <Connector protocol=''HTTP/1.1'' port="443" SSLEnabled="true"
> > keyAlias="some-time.eu" maxThreads="150" scheme="https"
> > keystoreFile="~/.keystore" keystorePass="password" secure="true"
> > clientAuth="false" sslProtocol="TLS" />
>
> I hope that protocol=''HTTP/1.1'' is really a protocol="HTTP/1.1".
> Otherwise, your configuration is broken.
>
> > Also I think Java in current version does not support SSLv2 no more.
>
> Nobody should be using SSLv2 for anything.
>
> Is it possible that you've hit this bug?
> https://bugzilla.mozilla.org/show_bug.cgi?id=454759
>
> If so, you should get involved in the discussion.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: certificate problem in firefox 3.05
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marko,
On 2/10/2009 9:53 AM, Marko Sacher wrote:
> I have a problem with a certificate from a CA. The certificate of the CA is
> included by default in FF3. If I call my page I get error:
> sec_error_bad_signature: invalid signature.
> In other browsers the certificate looks O.K.
> My CA tells me to disable SSLv2 and perhaps also weak cyphers. My config is:
> <Connector protocol=''HTTP/1.1'' port="443" SSLEnabled="true"
> keyAlias="some-time.eu" maxThreads="150" scheme="https"
> keystoreFile="~/.keystore" keystorePass="password" secure="true"
> clientAuth="false" sslProtocol="TLS" />
I hope that protocol=''HTTP/1.1'' is really a protocol="HTTP/1.1".
Otherwise, your configuration is broken.
> Also I think Java in current version does not support SSLv2 no more.
Nobody should be using SSLv2 for anything.
Is it possible that you've hit this bug?
https://bugzilla.mozilla.org/show_bug.cgi?id=454759
If so, you should get involved in the discussion.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmR380ACgkQ9CaO5/Lv0PBVngCfUWj6LQtpQ9SbS6gwdXTn24nl
3xMAnjbIISRNcAbslwSDlcLO75kpfQh6
=FFBC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org