Stuart Fermenick wrote: > Hello all! > > At the school where I work, our student information system has a digital > certificate installed from VeriSign. Because it is a 128bit certificate, > there are three parts to it: the middle part is an intermediate portion also > from VeriSign that bumps it up from 64bit to 128bit.
Stuart, Prior to the summer of 2000, U.S. export control regulations caused there to be two sets of browser products, domestic and export. Domestic browsers could do strong (e.g. 128-bit) crypto with *ANY* cert. Export browsers could only do strong crypto when talking to servers with special certs, such as the one you have. But in the year 2000, the export regulations changed, and since then, the so-called domestic browsers are able to be shipped to just about anywhere in the world (except the "T-7" terrorist nations). So, today, there's really not much point in spending extra for certs with that special feature, because 99% of the browsers in the world just don't need them any more. > The Firefox browser in both versions 1.0.7 and 1.5 initially came up with a > message box title of "Web Site Certified by an Unknown Authority" and the > content of the message box of "Unable to verify the identity of sis.cgu.edu > as a trusted site" when we went to the SSL signon page. > > Firefox shows our page with the three level hierarchy. It just shows the > bottom level, sis.cgu.edu. However, Microsoft's Internet Explorer shows all > three levels of the hierarchy. That means your server is misconfigured. It is not sending out all its certificates. It is sending its own certificate, but is not sending out that intermediate certificate to which you referred above. The SSL and TLS standards require servers to send out all the certs in the chain, and not just the server's own cert. > When we go to different encrypted pages on this web site, Firefox takes on > average 25 seconds to render the SSL pages. Internet Explorer, Opera and > Safari typically takes only 2 seconds to render the page. The additional 23 > seconds is excessive and unacceptable. We are experiencing this 25 second > delay on at least six different workstations. This is happening on the PC > platform, Firefox 1.0.7 build 20050915 and Firefox 1.5 build 20051111. On > the Mac OSX platform this delay is happening on Firefox My guess is that your school uses an http proxy or SOCKS proxy. That is, the computers in your classrooms (or labs or whatever) reach the outside internet through a proxy server on a firewall system. I further guess that you have some sort of certificate revocation checking (such as with OCSP or CRLs) enabled in your FireFox browsers, but not in the other browsers you mentioned. It is a known bug that FireFox is unable to communicate with revocation servers through proxies. Attempts to reach a revocation server will timeout, hence the 25 second delay. We hope to fix that this year. In the meantime, I suggest disabling revocation checking in FireFox. If your FireFoxes are not doing revocation checking, then ... more investigation is needed. > So, there are a couple of questions: > 1) Is there a default configuration setting in all (or most) versions of > Firefox that needs to be changed that would significantly reduce this delay? If this delay is due to revocation checking, disabling that checking will eliminate the delay. > 2) Does Firefox have an issue with 3 level hierarchy digital certificates? > Is this a bug? No. FireFox adheres to the standard that requires the server to send out the entire certificate "chain" (except for the "root" CA cert). When your server sends out the cert chain in accordance with the standard, you'll find that FireFox is happy. > Thanks in advance for your replies / emails! > > --Stuart Fermenick > [EMAIL PROTECTED] One last point. The newsgroup netscape.public.mozilla.crypto is now deprecated. The replacement group is mozilla.dev.tech.crypto, which is available from mozilla's free news server, news.mozilla.org, and also as a mailing list from lists.mozilla.org. See news://news.mozilla.org:119/[EMAIL PROTECTED] news://news.mozilla.org:119/[EMAIL PROTECTED] -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
