[3401] in Release_7.7_team
Re: problem with certificates under netscape 6.2 after deleting old
daemon@ATHENA.MIT.EDU (t. belton)
Tue Jul 16 13:34:52 2002
Date: Tue, 16 Jul 2002 13:34:50 -0400 (EDT)
From: "t. belton" <tbelton@MIT.EDU>
To: Craig Counterman <ccount@mit.edu>
cc: <netscape-release@mit.edu>, <release-team@mit.edu>
In-Reply-To: <3C0E7DFE-98CD-11D6-B4E3-0003939228DC@mit.edu>
Message-ID: <Pine.GSO.4.30L.0207161317360.9771-100000@iphigenia.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
The information below will help. I'll be sending it out to all the
germane places when the Unix Netscape 6 is ready to go, and fix-netscape
will learn to handle it. I do not vouch for Mac and Win versions, but this
is what we have learned about Unix versions. Assuming the problem is on
Mac and Win as well, then the only difference is where you'd look to edit
the user preferences.
1. Netscape 6 only wants certificates that were obtained via Netscape 6.
Not Netscape 4, nor Mozilla 1. (Mozilla 1 WILL use Netscape 6 certs okay,
so if you're using both regularly, use Netscape 6 to get your certs.)
2. Unfortunately, the first time you run Netscape 6 it will try to copy
over any 4.x certs it finds, which is useless. This means that after first
run you will probably find various converted cert*.db and key*.db files
down in your Netscape 6 preferences directory.
(The prefs directory on Unix is ~/.mozilla/username/8randoms.slt, making
the obvious substitutions for 'username' and '8randoms'. There can be
more than one 'username' directory if you have more than one Netscape
"profile," but most of us don't.)
3. You'll need to delete those converted certs. Later we will give the
users a safer way to do this. After doing this, go get a brand-new MIT
site CA (if you need it) and a fresh personal cert.
4. This is still not enough to solve the error message. Assuming you do
not routinely switch between multiple "profiles" - that is, you only use
Netscape under a single username - there is a simple fix.
WITHOUT ANY COPIES OF NETSCAPE RUNNING, go into that
(~/.mozilla/username/8randoms.slt) directory, edit prefs.js, and remove
the lines which begin like this:
user_pref("security.default_mail_cert"
user_pref("security.default_personal_cert"
user_pref("security.default_proxy_cert"
The third of those may or may not be present. (Again, we're going to find
a safer way for users to do this.)
These three lines will be regenerated, we believe, every time you reapply
for certs, or change your certificate preferences in certain ways (notably
the default-cert handling, which is what they control). They will then
have to be deleted again. Basically, Netscape does not offer its "default
certificate" to sites correctly - so the fix is just to not let it think
it has a default.
If you have multiple profiles and switch between them regularly, see me.
Jeff Schiller is currently testing what happens in that event, on an
informal basis; so far he's the only person who's actually had the
situation arise.
On Tue, 16 Jul 2002, Craig Counterman wrote:
> I've reproduced this on macos x and windows.
>
> 1) get a new certificate
> 2) delete old certificates. I now see that this is not listed as a
> recommendation, but I was studying a problem another user reported after
> getting new certificates and wanted to be sure I was using the new
> certificate.
> 3) restart netscape.
> 4) try to access casetracker, https://web.mit.edu, or other site using
> mit certs.
>
> I get an error "You cannot connect to web.mit.edu because of an unknown
> SSL error (-12227)"
>
> I am not prompted to enter my password for the software security device.
>
> If I log in to the software security device, by going to
> edit->preferences->privacy&security->certificates and then 'manage
> security devices' and log in there, I'm OK.
>
> I suspect that netscape is losing track of its certificates because of
> the deletion.
>
> I expect that deleting the new certificate, so I have none, and then
> getting a new certificate, will fix. But I'm leaving it broken for now
> in case there are more diagnostics that would be useful.
>
> I haven't yet gotten enough info from the original user to know if this
> is related to his problem, but he claimed to be using netscape 4.08.
>
> Craig
>
>
