Ready or not…

It would seem that Internet Explorer 7 will be pushed out to the world this week. For those of us who do a fair amount of browser-based testing in Enterprises with an IE6 browser standard, you might want to wait to go to IE7. If you do, here are the instructions for blocking automatic delivery.

Also: On the teeny tiny chance that any of you are maintaining sites protected by a self-signed openssl-generated CA certificate, you may want to do a quick test with IE7 before your users get updated.

This is an extremely specific case, but I was unlucky enough to run into trouble with IE7 and use of a self-generated CA certificate. It turned out that the CA cert I generated was missing one or more server extensions that IE6 and Mozilla were willing to overlook the absence of, but which IE7 required in order for the certificate to be considered “trusted”. The CA cert that gave me such problems was generated by OpenSSL using the default config file that came with a not-that-new linux distro (in this case Mandrake 10.1).

I believe the problem was that I didn’t have a CA-specific section in my config file with bits like this in it:

basicConstraints        = critical, CA:true, pathlen:0
nsCertType              = sslCA
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth

You can see the entire context by going to this great reference article by Security Focus — check out the config file they list under “Method 3: Certificate signed by a local CA”. I can verify that if you replace the default openssl config file with the one in their article, and follow their instructions, everything works beautifully :)

It isn’t exactly a dire emergency should this happen — users are presented with the certificate error screen, but can click “Continue to this website” and get to their content. Still, if you happened to generate your CA cert the same way I did, and want to be absolutely 100% sure that your users won’t get that nasty “There is a problem with this website’s security certificate” error when they get their forced IE7 upgrade and subsequently access your site, you might want to view your CA cert and check for server extensions. In the unlikely event that you have none at all, I forecast that you will have problems.

I hope this affects absolutely none of you… but if it does, I hope at least the links I’ve brought up here can get you going quickly.

2 thoughts on “Ready or not…

  1. I just hit this today, Ive been working with Firefox/linux no problems, securing app servers, web-servers and application links, all fine. I then tried migrating a web app to a SSL protected server, and hit this – drove me nuts, checked opera/win32 (ok) firefox/win32 (ok) ie6 (fails) ie7 (fails). You seem to describe the issue exactly. I shall explore, thanks for the pointer!

Comments are closed.