Cannot run SSL handshake with WildCard Certificates issued by a CryptoVision CA

  • 7001385
  • 18-Sep-2008
  • 26-Apr-2012

Environment

The Certificate subject name stores a Common Name Attribute (CN) including a wildcard like "*.dus.novell.com"
Novell eDirectory 8.7.3 for All Platforms
Novell iChain 2.3
Novell iChain 2.2
I

Situation

  • Importing the Certificate did not return any errors
  • No Certificates will be send to the browser client during the SSL handshake
  • Mozilla based browser clients return:"host has sent an incorrect or unexpected message. Error -12258"
  • Microsoft Internet Explorer returns: "

    The page cannot be displayed
    The page you are looking for might have been removed or had its name changed.


Resolution

Make sure your CA does not use "bmpString" encoding
This issue has been reported to engineering

Additional Information

The Common Name (CN) attribute has been encoded using the "bmpString" as defined in RFC3280.

Using opnssl asn1parse -inform DER -in certfilename retruns:

147:d=5  hl=2 l=   3 prim: OBJECT          :organizationName
152:d=5  hl=2 l=   4 prim: PRINTABLESTRING :Novell
158:d=3  hl=2 l=  45 cons: SET
160:d=4  hl=2 l=  43 cons: SEQUENCE
162:d=5  hl=2 l=   3 prim: OBJECT          :commonName
167:d=5  hl=2 l=  36 prim: BMPSTRING

The SAS / NILE Service is not able to handle "bmpString" encoded Common Names (CNs)

RFC3280 defines:


  X520CommonName ::= CHOICE {
       teletexString TeletexString (SIZE (1..ub-common-name)),
       printableString PrintableString (SIZE (1..ub-common-name)),
       universalString UniversalString (SIZE (1..ub-common-name)),
       utf8String UTF8String (SIZE (1..ub-common-name)),
       bmpString BMPString (SIZE (1..ub-common-name)) }a
Formerly known as TID# 10098216