On 5/29/2012 3:52 PM, Antonio Lobato wrote:
On 5/29/2012 1:28 PM, Robert Relyea wrote:
Just looking at the error message, I would normally guess that the trust
chain is no longer trusted. That is you are chaining to a CA that we've
taken out of the trust list (probably because the CA was compromised).
Since this is an ldap server, I think it's only 20% likely (people do
get globally trusted certs for ldap servers, but it's more common they
they use a cert in their own infrastructure.
You're right -- these are self-signed certs that a client is using.
The next most likely cause would be that one of the certs in your cert
chain matches a compromised certificate in the builtin trust store
(matches by issuer and serial number).
This shouldn't apply as these are self-signed certs.
Finally, check your nss database. If you have a intermediate cert with
the 'peer' bit on 'p', that actually marks the intermediate as
untrusted. In NSS 3.12 the 'p==untrusted' only applied to leaf certs, it
was ignored otherwise. In NSS 3.13 it also applies to intermediate
certs. If it's on (and no other trust bits are on), then the certificate
is explictly distrusted. My guess is this is your problem.
The nssdb is empty.
Any other ideas?
Oh, just checked the serial number of the cert: 00
That would do it. Thanks all.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
