Setting SSL Options

This section describes how to set your SSL preferences. To set your preferences:

1. Open the Tools menu and choose Options.
2. Click the Advanced category.
3. On the Advanced panel, scroll to the Security section. (If no subcategories are visible, click to expand the list.)
4. Check the appropriate options. Refer to SSL Protocol Versions for more information on these settings.

SSL Protocol Versions

The Secure Sockets Layer (SSL) protocol defines rules governing mutual authentication between a web site and browser software and the encryption of information that flows between them. The Transport Layer Security (TLS) protocol is an IETF standard based on SSL. TLS 1.0 can be thought of as SSL 3.1.

You should normally leave these three checkboxes selected to ensure that both older and newer web servers can work with the browser:

• Use SSL 2.0: Allows older web servers to work with the browser.
• Use SSL 3.0: Allows newer web servers to work with the browser.
• Use TLS 1.0: Allows web servers that support TLS to take advantage of it.

Important note re TLS: Some servers that do not implement SSL correctly cannot negotiate the SSL handshake with client software (such as the browser) that supports TLS. Such servers are known as "TLS intolerant."

When the Enable TLS option in the SSL preferences panel is selected, the browser attempts to use the TLS protocol when making secure connections with a server. If that connection fails because the server is TLS intolerant, the browser will fall back to using SSL 3.0.

Controlling Validation

As discussed above under Get Your Own Certificate, a certificate is a form of identification, much like a driver's license, that you can use to identify yourself over the Internet and other networks. However, also like a driver's license, a certificate may expire or become invalid for some other reason. Therefore, your browser software needs to confirm the validity of any given certificate in some way before trusting it for identification purposes.

This section describes how Certificate Manager validates certificates and how to control that process. To understand the process, you should have some familiarity with public-key cryptography. If you are not familiar with the use of certificates, you should check with your system administrator before attempting to change any of your browser's certificate validation settings.

How Validation Works

Whenever you use or view a certificate stored by Certificate Manager, it takes several steps to verify the certificate. At a minimum, it confirms that the CA's digital signature on the certificate was created by a CA whose own certificate is (1) present in the Certificate Manager's list of available CA certificates and (2) marked as trusted for issuing the kind of certificate being verified.

If the CA certificate is not itself present, the certificate chain for the CA certificate must include a higher-level CA certificate that is present and correctly trusted. Certificate Manager also confirms that the certificate being verified is currently marked as trusted in the certificate store. If any one of these checks fails, Certificate Manager marks the certificate as unverified and won't recognize the identity it certifies.

A certificate can pass all these tests and still be compromised in some way; for example, the certificate may be revoked because an unauthorized person has gained access to the certificate's private key. A compromised certificate can allow an unauthorized person (or web site) to pretend to be the certificate owner.

One way to combat this threat is for Certificate Manager to check a certificate revocation list (CRL) as part of the verification process (see Managing CRLs, below). Typically, you download a CRL to your browser by clicking a link. If a CRL is present, Certificate Manager checks any certificate issued by the same CA against the list as part of the verification process.

The reliability of CRLs depends on the frequency with which they are both updated by a server and checked by a client. You can configure your Automatic CRL Update Preferences so that a CRL will be updated automatically at regular intervals with the version currently on the server.

Another way to combat the threat of compromised certificates is to use a special server that supports the Online Certificate Status Protocol (OCSP). Such a server can answer client queries about individual certificates (see Configuring OCSP, below).

The server, called an OCSP responder, receives an updated CRL periodically from the CA that issues the certificates to be verified. You can configure Certificate Manager to submit a status request for a certificate to the OCSP responder, and the OCSP responder confirms whether the certificate is valid.

Managing CRLs

A certificate revocation list (CRL) is list of revoked certificates. A certificate authority (CA) might revoke a certificate, for example, if it has been compromised in some way—much the way a credit card company might revoke your credit card if you report that it's been stolen.

This section describes how to import and manage CRLs.

For background information, see How Validation Works.

For detailed descriptions of CRL settings that you can control, see Validation Settings.

About the "Next Update" Date

The browser uses the CRLs it has available to check the validity of certificates issued by the corresponding CAs. If a certificate is listed as revoked, the browser won't accept it as evidence of identity.

A CA typically publishes an updated CRL at regular intervals. Every CRL includes a date, specified in the Next Update field, by which the CA will publish the next update of that CRL. In general, if the date in the Next Update field is earlier than the current date, you should obtain the most recent version of the CRL. To view CRL information and set up automatic CRL updating, see Viewing and Managing CRLs.

CAs are required to produce a new CRL by the Next Update date. However, the absence of the most recent CRL does not by itself invalidate a certificate. For this reason, if the most recent CRL is not available, a certificate may be validated even though the most recent CRL shows it as expired. Automatic CRL updating can help to avoid this situation.

Importing CRLs

You can import the latest CRL from a CA into your browser. To import a CRL, follow these steps:

1. Go to the URL specified by the CA or by your system administrator and click the link for the CRL that you want to import.

   The Import Status dialog box appears.

2. Confirm that the CRL was imported successfully and that it's the one you wanted. In most cases you should also click Yes, which enables automatic updating of the CRL you just imported.
3. The next step depends on whether you click Yes or No in the Import Status dialog box:

   Yes: The Automatic CRL Update Preferences dialog box appears. In this case, go on to step 4.

   No: The Import Status dialog box closes. If you change your mind and decide to enable automatic updates after all, see Viewing and Managing CRLs.

4. Select the option labeled "Enable Automatic Update for this CRL".
5. Decide how you want to schedule the automatic updates:
• Update __ days before Next Update date: Select this option if you want to base the update frequency on the frequency with which the CRL publisher publishes a new version of the CRL.
• Update every __ days: Select this option if you want to specify an update interval unrelated to the CRL's Next Update date.
6. Click OK to confirm your choices.

Viewing and Managing CRLs

You can view and manage CRLs available to the browser through the browser's Validation preferences:

1. From the Tools menu, select Options.
2. Under the Advanced category, click Validation. (If no subcategories are visible, double-click + to expand the list.)
3. Click Manage CRLs in the Validation panel to see a list of the CRLs available to Certificate Manager.

To delete or update a CRL, select it and click the appropriate button.

To set up automatic updates for a CRL, select the CRL and click Settings. The Automatic CRL Update Preferences dialog box appears:

1. Select the option labeled "Enable Automatic Update for this CRL".
2. Decide how you want to schedule the automatic updates:
• Update __ days before Next Update date. Select this option if you want to base the update frequency on the frequency with which the CRL publisher publishes a new version of the CRL.
• Update every __ days. Select this option if you want to specify an update interval unrelated to the CRL's Next Update date.
3. Click OK to confirm your choices.

Configuring OCSP

The settings that control OCSP are part of Validation preferences. To view Validation preferences, follow these steps:

1. From the Tools menu, select Options.
2. Under the Advanced category, click Validation. (If no subcategories are visible, double-click + to expand the list.)

For information about the OCSP options available, see OCSP.

Validation Settings

This section describes how to set Validation preferences and how to control Certificate Revocation List (CRL) settings.

For step-by-step descriptions of various tasks related to validation and CRLs, see How Certificate Validation Works.

Validation Preferences

This section describes how to use the Validation Settings panel.

1. From the Tools menu, select Options.
2. Select the Advanced panel and then double-click on the Validation category to open it.
3. Click Manage CRLs to see a list of the CRLs available to Certificate Manager.
4. Choose one of the appropriate setting to specify how Certificate Manager uses OCSP.
   The Online Certificate Status Protocol (OCSP) makes it possible for Certificate Manager to perform an online check of a certificate's validity each time the certificate is viewed or used. This process involves checking the certificate against a certificate revocation list (CRL) maintained at a specified web site. Your computer must be online for OCSP to work.

When you choose a Response Signer certificate from the pop-up menu, Certificate Manager fills in the Service URL (if available) for that signer automatically. If the Service URL is not filled in automatically, you must provide it yourself; ask your system administrator for details.

Refer to window help for more information on these fields.

For background information on certificate validation, see How Certificate Validation Works.

Manage CRLs

This section describes how to use the Manage CRLs dialog box. To view it, follow these steps:

1. From the Tools menu, select Options.
2. Select the Advanced panel and then double-click on the Validation category to open it.
3. Click Manage CRLs.

This dialog box displays a list of the CRLs that you have downloaded for use by your browser. Typically, you download a CRL by clicking a URL. FOr information about how CRLs work, see Managing CRLs.

To select a CRL, click it. You can then perform any of these actions:

• Delete: Deletes the CRL permanently from your hard disk. Don't do this unless you're sure you no longer need the CRL for validating certificates. If in doubt, consult your system administrator.
• Settings: Opens the Automatic CRL Update Preferences dialog box, which allows you to activate automatic CRL updates for the selected CRL and specify how frequently they should be performed.
• Update: Immediately updates the selected CRL (if possible).

The Manage CRLs dialog box provides the following information about each CRL:

• Organization (O): The name of the organization that issued the CRL.
• Organizational Unit (OU): The name of the organizational unit that issued the CRL (such as the root CA for a particular kind of certificate).
• Last Update: The date on which the browser's copy of this CRL was last updated.
• Next Update: The next date on which an updated version of this CRL will be published by the CRL issuer.
• Auto Update: Indicates whether Auto Update has been enabled for this CRL. To view the settings that control auto updating, select the CRL and click Settings.
• Auto Update Status:
  • If Auto Update has not been enabled, or if it has been enabled but the next scheduled update has not yet occurrred, this field will be blank.
  • After at least one auto update has occurred, this field shows "failed" if the most recent auto update failed, or "OK" if the most recent auto update was successful.

CRL Import Status

This section describes how to use the CRL Import Status dialog box, which appears when you first attempt to import a CRL or when you successfully update it manually.

This dialog box informs you

• whether your attempt to import or update the CRL was successful
• what organization issued the CRL
• when the next update of this CRL will be published
• whether Automatic Update is enabled for this CRL

If Automatic Update is not enabled, you can turn it on from here:

• Yes: Click Yes to enable automatic updating of this CRL. If you click this button, the Automatic CRL Update Preferences dialog box appears next. The next section describes how to set these preferences.
• No: Click No if you wish to leave Automatic Update disabled.

Automatic CRL Update Preferences

This section describes how to use the Automatic CRL Update Preferences dialog box. If you are not already viewing it, follow these steps:

1. From the Tools menu, select Options.
2. Select the Advanced panel and then double-click on the Validation category to open it.
3. Click Manage CRLs, then select the CRL whose auto update preferences you want to view or change.
4. Click Settings.

This dialog box displays the following options and information:

• Enable Automatic Update for this CRL: Select this option if you want the CRL you selected to be updated automatically according to the schedule you set here. (Note that you can't select this option if the CRL doesn't specify a Next Update date.)

  If you enable Automatic Update, you must select one of these radio buttons:

  • Update X days before Next Update date. Select this option if you want to base the update frequency on the frequency with which the CRL publisher publishes a new version of the CRL.
  • Update every X days. Select this option if you want to specify an update interval unrelated to the CRL's Next Update date.
• CRL would be imported from: Indicates the URL from which the browser originally imported the CRL. This setting cannot be changed. To specify a different location, delete the CRL and re-import it from the new location.
• Previous Consecutive Update Failures: Indicates how many times update attempts for this CRL have failed consecutively, including the most recent failure:
  • If the most recent attempt was successful, this reads "None" even if there were previous unsuccessful attempts.
  • If the most recent attempt failed, this indicates the number of consecutive failures and the error message for the most recent failure.

Click OK to confirm your choices.

April, 2005

Copyright 1994-2005 Netscape Communications Corporation.