[jdev] SSL clients complaining
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Fri Apr 15 17:58:12 CDT 2005
> Is there a way to get the client to stop complaining when it connects in,
> or did I generate the SSL cert incorrectly? Is this normal behaviour?
The following conditions must be met in order to avoid client complaints:
1) The certificate is signed by a known signer.
2) The current system time is within the allowed range of the certificate.
3) The certificate represents the target being contacted (in other words, the
domain name is in the certificate).
If you're using a self-signed certificate, then the signer (yourself) is
likely to be not known by the client. You can usually resolve this by
importing the certificate into the client so that it becomes a known signer.
No matter how you generate your certificate, you should ensure the time range
is valid. If you specify an end date that has passed, then you'll need to
make a new cert.
Finally, a valid certificate isn't very interesting if it isn't representing
what the client is contacting, so you need to ensure that the domain of your
server is in the cert. If you've got "localhost.localdomain" (or something
equally useless) in there then it's not going to work.
Of course, not all clients perform these checks. Psi is the only one I'm
aware of that does this right. If anyone knows of any others, feel free to
mention them.
(Note: Last I checked, Exodus has the particularly weird behavior of doing
steps #2 and #3, but not step #1. This is as effective as doing none of
them, so I don't count it.)
-Justin
More information about the JDev
mailing list