Forum OpenACS Q&A: NN 4.x browsers, ssl, No User Certificate message

Collapse
1: NN 4.x browsers, ssl, No User Certificate message
Posted by Torben Brosten on 12/19/03 01:18 AM

Netscape 4.x browsers (and I suspect other 4.x browsers) show a message:

No User Certificate

The site.. has requested client authentication, but you do not have a Personal Certificate to authenticate yourself. THe site may choose not to give you access without one.

The 4.x browsers don't show that message window when connecting via ssl to other websites.

Does this suggest that the security chain is not working? Something else?

I appended the security chain to the crt.pem Certfile[1] like so: 

-----BEGIN CERTIFICATE-----
(multiline encription string)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(multiline encription string)
-----END CERTIFICATE-----

Perusing Pascal Scheffers patch[2], I also notice that the nsd.tcl file is using ns_param ServerProtocols instead of Protocol, but since SSL is working for 5.x and above browsers, don't think the name variance is an issue.

The server is at: http://dekka.com:8000 if you want to test directly.

Hints etc. much appreciated. 

1. http://www.scottg.net/webtools/aolserver/modules/nsopenssl/changelog/
2. http://pascal.scheffers.net/patch/openssl.txt
Collapse
2: Re: NN 4.x browsers, ssl, No User Certificate message (response to 1)
Posted by Torben Brosten on 12/19/03 08:49 AM
Checking some other sites running openacs (with ssl), the problem appears unique to this server.

Apparently this server is requiring client certification[1].

Now to skim nsd.tcl again for some kind of SSLRequiresClient or something.

1. http://www.lists.aldigital.co.uk/apache-ssl/msg01837.html

Collapse
3: Re: NN 4.x browsers, ssl, No User Certificate message (response to 1)
Posted by Torben Brosten on 12/19/03 11:03 AM

ps. Requesting https://dekka.com:8443 only results in a line like this in the error log: 

[19/Dec/2003:09:55:13][10131.146598912][-conn1-] Notice: Security: 1071827701 sec_generate_session_id_cookie setting 530005, 313.

Which is essentially the same for browsers that do not produce the "No User Certificate" error.

Collapse
4: Re: NN 4.x browsers, ssl, No User Certificate message (response to 1)
Posted by Matthias Melcher on 12/19/03 11:07 AM
In the aolserver config.tcl, did you specify
ns_param ServerPeerVerify                false
ns_param SockServerPeerVerify            false
ns_param SockClientPeerVerify            false
?
Collapse
5: Re: NN 4.x browsers, ssl, No User Certificate message (response to 1)
Posted by Torben Brosten on 12/19/03 03:41 PM
Thanks Mathias, I'll try changing all three. Openacs.org burped. Am posting the following I meant to post a few hours ago.:

Changing the following nsopenssl configuration[1] parameters (and then restarting aolserver) did not change symptoms. Interestingly, SockServerPeerVerifyDepth (is listed twice) but no SockClientPeerVerifyDepth.

ns_param SockServerPeerVerify false
ns_param SockClientPeerVerify false
ns_param SockServerPeerVerifyDepth 0

1. http://www.scottg.net/webtools/aolserver/modules/nsopenssl/configuration/

.

Collapse
6: Re: NN 4.x browsers, ssl, No User Certificate message (response to 1)
Posted by Marc Fournier on 12/19/03 04:22 PM
Hrmmm ... taking a look at the nsd.tcl file, there are three lines commented out per "SSL section":

#ns_param ServerCADir                    ca
#ns_param ServerCAFile                    ca.pem
#ns_param ServerTrace                    false

#ns_param SockServerCADir                internal_ca
#ns_param SockServerCAFile                internal_ca.pem
#ns_param SockServerTrace                false

#ns_param SockClientCADir                ca
#ns_param SockClientCAFile                ca.pem
#ns_param SockClientTrace                false

Now, for what we're looking at here, I'm suspecting that the first 3 are potentially critical?  But what should they be set to?  And, could this be the cause?

Collapse
7: Re: NN 4.x browsers, ssl, No User Certificate message (response to 1)
Posted by Torben Brosten on 12/20/03 11:26 AM
Matthias Melcher,

Your suggestion worked, thanks!

As it turns out, only ServerPeerVerify needs to be set "false" to get the message to stop. So am leaving the others "true" (for now).

Marc,

Reading googled bits here and there, it looks (to me) like those items are relevant to the nsopenssl 2.x ns_httpsget etc. since they are not in nsopenssl 1.x, and 2.x has a few new ssl connect related commands[1]. Of course, this is just sharing ignorance on my part.. It would be nice to have the ns_params documented.

1 http://cvs.sourceforge.net/viewcvs.py/*checkout*/aolserver/nsopenssl/README?content-type=text%2Fplain&rev=1.3

Collapse
8: Re: NN 4.x browsers, ssl, No User Certificate message (response to 1)
Posted by Torben Brosten on 12/20/03 02:09 PM
Infamous last wrods: "for now".

Just had to set SockClientPeerVerify "false" to prevent errors when payment-gateway package contacts.. er uh payment-gateway via https.