[Fed-Talk] RE: PKI Certificates - Unknown Critical Extensions causing problems...
[Fed-Talk] RE: PKI Certificates - Unknown Critical Extensions causing problems...
- Subject: [Fed-Talk] RE: PKI Certificates - Unknown Critical Extensions causing problems...
- From: "Miller, Timothy J." <email@hidden>
- Date: Sun, 4 Apr 2010 17:34:24 -0400
- Acceptlanguage: en-US
- Thread-topic: PKI Certificates - Unknown Critical Extensions causing problems...
It's chaining across the Federal Bridge, which shouldn't be happening except in special cases (e.g., if you didn't already trust Root 2). The client could be sending you the cross-cert chain, which might simply be a misconfiguration.
-- Tim
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
>talk-bounces+tmiller=email@hidden] On Behalf Of Mark
>Radleigh (CTR)
>Sent: Friday, April 02, 2010 6:37 PM
>To: Apple FED-TALK
>Subject: [Fed-Talk] PKI Certificates - Unknown Critical Extensions
>causing problems...
>
>Greetings all,
>
>I'm running Leopard (10.5.8) with the latest patches, and lately
>Entourage
>would all of the sudden start having trust issues with PKI certificates
>for
>*existing*, known good certificates. Following some previous advise,
>quitting Entourage, deleting the 'Microsoft_Intermediate_Certificates'
>keychain, and then restart Entourage would fix the issue for a bit, but
>then
>it would pop back up!
>
>Well, after a while (and getting sufficiently annoyed), I noticed that
>this
>issue would happen right after I read a digitally signed or encrypted
>email
>from a particular group of (DoD related) people (and that group is
>growing).
>So I did some digging around and found that these people would have
>legitimate DoD issued certificates, but the 'issuing certificate path'
>was
>different from normal. Specifically, the 'problem' certs have been
>issued
>by a 'newer' 'DoD Root CA 2', which has the following 'issuing' path:
>
>1) FBCA (Serial #: 18:cc:d6:6b:00:01:00:00:00:6f)
> -> Issuer => CN=Common Policy,OU=Entrust,OU=FBCA=O=U.S.
>Government,C=US
>2) DoD Interoperability Root CA 1 (Serial #: 0x451de523 or 1159587107)
> -> Issuer => OU=Entrust,OU=FBCA=O=U.S. Government,C=US
>3) DoD Root CA 2 (Serial #: 0xc or 12)
> -> Issuer => OCN= DoD Interoperability Root CA 1,OU=PKI,OU=DoD=O=U.S.
>Government,C=US
>
>I noticed that these Certificate Authorities would be added in the
>'Microsoft_Intermediate_Certificates' keychain immediately upon
>processing
>an email from a 'problem' user and the 'Keychain Access' Utility program
>would give the following errors for the 'DoD Interoperability Root CA 1'
>and
>'DoD Root CA 2' certificates:
>
> * This certificate cannot be used (unrecognized critical extension)
>
>I suspect this has to do with the outdated OpenSSL binaries installed on
>with Leopard, as one can see it chokes when trying to process the
>extensions
>in question for the 'problem' certificates (via 'openssl x509 -text
>-noout'):
>
>----- <BEGIN SNIPPET> ------
> 2.5.29.33:
> 020..
>`.H.e.......`.H.e....0..
>`.H.e.......`.H.e....
> X509v3 Certificate Policies:
> Policy: 2.16.840.1.101.3.2.1.3.3
> Policy: 2.16.840.1.101.3.2.1.3.12
>
> X509v3 Name Constraints: critical
> 0=.;09.7051.0...U....US1.0...U.
>..U.S. Government1.0
>..U....DoD
>----- <END SNIPPET> --------
>
>It seems that the problem with this 'DoD Root CA 2' affects *everything*
>that was issued by a 'DoD Root CA 2' CA (normal *or* new) from that
>point
>on! Also, it looks like the *key* security binaries and/or Frameworks
>are
>*STATICALLY* linked to the 'old' OpenSSL libraries so, unless I am
>missing
>something, even if you update them, it doesn't get you anything until
>they
>are recompiled!
>
>It should be worth mentioning that the 'normal' 'DoD Root CA 2' is
>issued to
>itself, and adding the problem certificates to the 'System Root'
>keychain
>(and trust settings file) just makes everything worse. So, anybody have
>any
>ideas? Can Apple maybe update OpenSSL to at least 0.9.8 (or even 1.0.0)
>and
>RE-COMPILE any statically linked binaries using OpenSSL? This is
>starting
>to be a pain to deal with.
>
>Thanks,
>
>--
>Mark Radleigh, Contractor, AFRL/RDSM
>email@hidden
>
>
>Caution: This message may contain competitive, sensitive or other
>non-public information not intended for disclosure outside official
>government channels. Do not disseminate this message without the
>approval
>of the undersigned's office. If you received this message in error,
>please
>notify the sender by reply e-mail and delete all copies of this message.
>
>
>
>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden