On 10/05/2009 03:41 AM, Nelson B Bolyard:
That's not true. It's likely true for some servers, but not for SWS.
And, in any case, the case where the browser has no cert to send is not
one of the cases described by the original poster.
Well, there is no difference in the reporting by Firefox, being it if
certificate has expired or entirely missing. It MIGHT report revoked due
to revocation checking with OCSP, for certificates which don't support
OCSP the certificate is treated as valid.
Eddy, Maybe you should try a different server product. There are server
products out there that NEVER send back failure alerts due to any kind
of authentication failure, but instead always send back https web pages
containing error messages.
Nelson you must be joking! Firefox doesn't even ATTEMPT to authenticate
with the server in all these cases, this includes:
Expired certificate
Revoked certificate
Bad signature
Non-existing certificate
Missing CA chain (in case the server sends only a root as accepted CA,
but the certificate is issued by an intermediate)
Those cases don't even get to the server after the initial exchange,
simply the exchange is stopped and the error page is shown. The server
has NO chance to send anything back because Firefox doesn't send either
an expired certificate, revoked certificate, certificate with bad
signature, when no certificate exists, the intermediate CA is missing
(all cases are treated exactly the same - NO VALID CERTIFICATE).
It does make sense that Firefox doesn't send a certificate if it doesn't
have anything valid to show. But please don't claim this is something
that belongs to the server side, you make me laugh :D
That only would work for some occurrences if the server accepts ANY
certificate. Servers which require strict authentication from a accepted
list of issuers, all of the above is correct.
Unfortunately the error message(s) Firefox presents for this, but also
for many other cases are very unhelpful, in a language which makes only
sense to me and a few others. :S
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
