Due to the changes in the default SSL behavior, the EMS 6.0.0 server may reject certificates that worked with previous versions of EMS servers.
Article ID: KB0083682
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
Description:
= = = = = =
There is a change in behavior in EMS 6.0.0 which is not mentioned in the Release Notes. Due to the changes in the default SSL behavior, the EMS 6.0.0 server may now reject certificates that worked with previous versions of EMS servers.
Environment:
= = = = = =
All OS
SSL
Resolution:
= = = = = =
1). The server will now reject certificates that do not contain an appropriate value in its keyUsage and/or extendedKeyUsage field. If these fields are present in a certificate, they need to contain the appropriate value for that field. (clientAuth/serverAuth for extendedKeyUsage and digitalSignature for keyUsage).
Workaround:
Fix certificates to contain those values or do not have those fields in the certificates.
OR
Old behavior can be restored by adding "ssl_lax_certs = enable" to tibemsd.conf. Note that this is an undocumented option.
2). The server will now reject certificates that contain a custom basicConstraints that is marked as critical.
Workaround:
Remove the critical attribute from the certificate.
OR
Old behavior can be restored by adding "ssl_lax_certs = enable" to tibemsd.conf. Note that this is an undocumented option.
The above issues can be detected by enabling (+SSL_DEBUG) tracing messages and looking for:
SSL verify error 26: unsupported certificate purpose, ...
EMS 8.0.0, ssl_lax_certs will not be supported from EMS 8.0.0 on. If you are using invalid certificates that were using the ssl_lax_certs property, you will have to fix these certificates. When EMS clients use certificates with an extended key usage extension, they have been required to include the client authentication flag since EMS 6.0.0. Starting with EMS 8.3.0-HF02 and 8.4.0 and EMS Appliance 2.4.0-HF01 and 2.5.0, client certificates will be considered valid with either the client authentication flag or the server authentication flag, or both.
Keywords/Tags:
= = = = = =
SSL, unsupported, certificate, purpose
Description:
= = = = = =
There is a change in behavior in EMS 6.0.0 which is not mentioned in the Release Notes. Due to the changes in the default SSL behavior, the EMS 6.0.0 server may now reject certificates that worked with previous versions of EMS servers.
Environment:
= = = = = =
All OS
SSL
Resolution:
= = = = = =
1). The server will now reject certificates that do not contain an appropriate value in its keyUsage and/or extendedKeyUsage field. If these fields are present in a certificate, they need to contain the appropriate value for that field. (clientAuth/serverAuth for extendedKeyUsage and digitalSignature for keyUsage).
Workaround:
Fix certificates to contain those values or do not have those fields in the certificates.
OR
Old behavior can be restored by adding "ssl_lax_certs = enable" to tibemsd.conf. Note that this is an undocumented option.
2). The server will now reject certificates that contain a custom basicConstraints that is marked as critical.
Workaround:
Remove the critical attribute from the certificate.
OR
Old behavior can be restored by adding "ssl_lax_certs = enable" to tibemsd.conf. Note that this is an undocumented option.
The above issues can be detected by enabling (+SSL_DEBUG) tracing messages and looking for:
SSL verify error 26: unsupported certificate purpose, ...
EMS 8.0.0, ssl_lax_certs will not be supported from EMS 8.0.0 on. If you are using invalid certificates that were using the ssl_lax_certs property, you will have to fix these certificates. When EMS clients use certificates with an extended key usage extension, they have been required to include the client authentication flag since EMS 6.0.0. Starting with EMS 8.3.0-HF02 and 8.4.0 and EMS Appliance 2.4.0-HF01 and 2.5.0, client certificates will be considered valid with either the client authentication flag or the server authentication flag, or both.
Keywords/Tags:
= = = = = =
SSL, unsupported, certificate, purpose
Issue/Introduction
Due to the changes in the default SSL behavior, the EMS 6.0.0 server may reject certificates that worked with previous versions of EMS servers.
Feedback
Yes
No
Powered by
