Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Directory Server + SSL problems with Thawte certificates

807573Mar 20 2008
I have JES 2004Q2 installed on a Red Hat Enterprise Linux 2.1 AS server. The only component of JES I'm using is the Directory Server. I'm having a whole lot of trouble getting SSL certificates to behave properly -- curiously, self-signed certificates do work but genuine certificates (from Thawte and Verisign) do not! Specifically, when using an LDAP browser with SSL turned on (connecting to port 636), my clients get the following error:
"Do you want to trust the following CA certificate (this session only/yes/no)

Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Valid from: Wed Jul 31 20:00:00 EDT 1996
Valid to: Thu Dec 31 18:59:59 EST 2020"
The problem is, the server already knows that Thawte is a valid CA, so why is it being presented to my clients in this fashion? We have around 60 Thawte certificates installed where I work, this is the only place where we're having trouble with them. I've tried re-generating CSRs and re-issuing the certificates via Thawte's website, all to no avail.

Has anyone seen this behavior before? It's almost as if JES doesn't associate the certificate with the Thawte CA correctly; even though it is aware of both being legitimate. Here is what certutil tells me about the certs:
root@abram cwaltham--# certutil -L -d /var/opt/sun/directory-server/alias -P slapd-empdir-

Certificate Name                                             Trust Attributes

server-cert                                                  u,,  
Thawte Premium Server CA                                     CTP,CP,CP

p    Valid peer
P    Trusted peer (implies p)
c    Valid CA
T    Trusted CA to issue client certs (implies c)
C    Trusted CA to certs(only server certs for ssl) (implies c)
u    User cert
w    Send warning
So, that looks fine to me. But if I use OpenSSL, I see the following:
--cwaltham@ciwara ~--$ openssl s_client -connect empdir.bowdoin.edu:636
CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Maine/L=Brunswick/O=Bowdoin College/OU=Information Technology/CN=empdir.bowdoin.edu
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate

(snip)

-----END CERTIFICATE-----
subject=/C=US/ST=Maine/L=Brunswick/O=Bowdoin College/OU=Information Technology/CN=empdir.bowdoin.edu
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=For Test Purposes Only.  No assurances./CN=VeriSign Trial Secure Server Test Root CA
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
/C=US/O=VeriSign, Inc./OU=For Test Purposes Only.  No assurances./OU=Terms of use at https://www.verisign.com/cps/testca (c)05/CN=VeriSign Trial Secure Server Test CA
---
SSL handshake has read 2428 bytes and written 312 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 05A05C7AF468E209C187F8F50158931E17DB8C794B96EFE0D541CA3B48D75386
    Session-ID-ctx: 
    Master-Key: FB087578DCB090A4F0EB45BB31BC2A96D2D190FE35CD48A60B4492489B07F1EF863E4B4B8CE20FB1DD26C65CC0FBD549
    Key-Arg   : None
    Start Time: 1206033377
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
Does that make sense? Ironically enough, if I generate a CSR and then sign a certificate using our internal, testing-only CA, it works fine. But legitimate Verisign and Thawte certificates fail :-( Does anyone have ideas?

Thanks,


Chris
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Apr 17 2008
Added on Mar 20 2008
#identity-management, #oracle-unified-directory-oud-oracle-directory-server-enterprise-edition-sun-dsee
0 comments
360 views