Re: [Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
Re: [Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
- Subject: Re: [Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
- From: Ron Broersma <email@hidden>
- Date: Sat, 3 Apr 2010 11:52:03 -0700
Mark,
This is causing serious problems for us as well. But in our case we notice it mostly with Mail.app. The problem still exists in 10.6.3.
Digital signatures show up as invalid, and the cert chain gets really confused. For example, if you "show details" when a signature can't be verified, you can get really messed up chains...
Reading the same email in Thunderbird shows that the original message has a valid cert chain up to the correct "DoD Root CA 2" via "DOD EMAIL CA-20".
Have you filed a bugreport yet?
--Ron
On Apr 2, 2010, at 5:36 PM, Mark Radleigh (CTR) wrote:
> Greetings all,
>
> I'm running Leopard (10.5.8) with the latest patches, and lately Entourage
> would all of the sudden start having trust issues with PKI certificates for
> *existing*, known good certificates. Following some previous advise,
> quitting Entourage, deleting the 'Microsoft_Intermediate_Certificates'
> keychain, and then restart Entourage would fix the issue for a bit, but then
> it would pop back up!
>
> Well, after a while (and getting sufficiently annoyed), I noticed that this
> issue would happen right after I read a digitally signed or encrypted email
> from a particular group of (DoD related) people (and that group is growing).
> So I did some digging around and found that these people would have
> legitimate DoD issued certificates, but the 'issuing certificate path' was
> different from normal. Specifically, the 'problem' certs have been issued
> by a 'newer' 'DoD Root CA 2', which has the following 'issuing' path:
>
> 1) FBCA (Serial #: 18:cc:d6:6b:00:01:00:00:00:6f)
> -> Issuer => CN=Common Policy,OU=Entrust,OU=FBCA=O=U.S. Government,C=US
> 2) DoD Interoperability Root CA 1 (Serial #: 0x451de523 or 1159587107)
> -> Issuer => OU=Entrust,OU=FBCA=O=U.S. Government,C=US
> 3) DoD Root CA 2 (Serial #: 0xc or 12)
> -> Issuer => OCN= DoD Interoperability Root CA 1,OU=PKI,OU=DoD=O=U.S.
> Government,C=US
>
> I noticed that these Certificate Authorities would be added in the
> 'Microsoft_Intermediate_Certificates' keychain immediately upon processing
> an email from a 'problem' user and the 'Keychain Access' Utility program
> would give the following errors for the 'DoD Interoperability Root CA 1' and
> 'DoD Root CA 2' certificates:
>
> * This certificate cannot be used (unrecognized critical extension)
>
> I suspect this has to do with the outdated OpenSSL binaries installed on
> with Leopard, as one can see it chokes when trying to process the extensions
> in question for the 'problem' certificates (via 'openssl x509 -text
> -noout'):
>
> ----- <BEGIN SNIPPET> ------
> 2.5.29.33:
> 020..
> `.H.e.......`.H.e....0..
> `.H.e.......`.H.e....
> X509v3 Certificate Policies:
> Policy: 2.16.840.1.101.3.2.1.3.3
> Policy: 2.16.840.1.101.3.2.1.3.12
>
> X509v3 Name Constraints: critical
> 0=.;09.7051.0...U....US1.0...U.
> ..U.S. Government1.0
> ..U....DoD
> ----- <END SNIPPET> --------
>
> It seems that the problem with this 'DoD Root CA 2' affects *everything*
> that was issued by a 'DoD Root CA 2' CA (normal *or* new) from that point
> on! Also, it looks like the *key* security binaries and/or Frameworks are
> *STATICALLY* linked to the 'old' OpenSSL libraries so, unless I am missing
> something, even if you update them, it doesn't get you anything until they
> are recompiled!
>
> It should be worth mentioning that the 'normal' 'DoD Root CA 2' is issued to
> itself, and adding the problem certificates to the 'System Root' keychain
> (and trust settings file) just makes everything worse. So, anybody have any
> ideas? Can Apple maybe update OpenSSL to at least 0.9.8 (or even 1.0.0) and
> RE-COMPILE any statically linked binaries using OpenSSL? This is starting
> to be a pain to deal with.
>
> Thanks,
>
> --
> Mark Radleigh, Contractor, AFRL/RDSM
> email@hidden
>
>
> Caution: This message may contain competitive, sensitive or other
> non-public information not intended for disclosure outside official
> government channels. Do not disseminate this message without the approval
> of the undersigned's office. If you received this message in error, please
> notify the sender by reply e-mail and delete all copies of this message.
>
>
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden