[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] Problems connecting to sites using VeriSign



    Thank you and Spencer for alerting me to this. I have been playing
around with the iaik.security.ssl.ChainVerifier class to see how to
accomplish this.

    The situation is that the SSL server at www.verisign.com:443 sends a
chain of two certificates, cert[0] and cert[1], in its ServerCertificate
message: cert[0] is the server cert and cert[1] is the issuer cert. It turns
out that cert[1] is expired, and the ChainVerifier naturally and correctly
complains about this. It also turns out that Netscape and IE have a current
cert which contains the same public key as in cert[1]. So I "exported" that
cert from IE, imported it into my java application, and added it to the
trusted root store via
iaik.security.ssl.ChainVerifier.addTrustedCertificate().

    My question is what do I do next? If I try to verify the {cert[0],
cert[1]} chain I still get a CertificateExpiredException. I'm guessing I am
supposed to extend the ChainVerifier class and override the
verifyCertificate() method to duplicate the functionality present in IE and
Netscape.

 Greg Stark, Chief Security Architect
 Who?Vision Systems, Inc.

gstark@whovision.com


----- Original Message -----
From: "Peter Lipp" <Peter.Lipp@iaik.at>
To: "Gregory Stark" <gstark@whovision.com>; <iaik-ssl@iaik.at>
Sent: Wednesday, May 17, 2000 2:33 AM
Subject: AW: [iaik-ssl] Problems connecting to sites using VeriSign


.
> Simple, tbey already have a newer one and while the server sends the
> older
> one, they take care of that by forming a new chain to the new one. This
> is
> not something we can do automatically in iSaSiLk because we don't ship
> any
> certificates in the first place, but you can add that behaviour
> yourself....
>
> Peter
>
>

--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-ssl


***************************************************************************
*                                                                         *
* IAIK S/MIME Mapper Security Info                                        *
* ===================================                                     *
*                                                                         *
* for message:                                                            *
*   From: "Gregory Stark" <gstark@whovision.com>                          *
*   Date: Wed, 17 May 2000 12:24:24 -0400                                 *
*   Subject: Re: [iaik-ssl] Problems connecting to sites using VeriSign   *
*                                                                         *
* Message S/MIME properties:                                              *
*                                                                         *
*   Encrypted using:    not encrypted                                     *
*                                                                         *
*   Digitally signed:   no                                                *
*   Signature valid:    n/a                                               *
*   Signature trusted   n/a                                               *
*                                                                         *
*                                                                         *
* Compliance with policy for email addresses *:                           *
*                                                                         *
*   Encryption:         OK (None or better required)                      *
*                                                                         *
*   Digital Signature:  OK (digital signature not required)               *
*                                                                         *
***************************************************************************