000021391 - Error: 'Certificate Verification: Error (25): non-critical basic constraint failure' appears in error log of RSA ClearTrust Agent 3.5 for Access Control Module (ACM)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021391
Applies ToRSA ClearTrust Agent 3.5 for Access Control Module (ACM)
Certificate-based Authentication
X.509 Certificate
Certificate Extension: Basic Constraints Path length = 0
IssueError: "Certificate Verification: Error (25): non-critical basic constraint failure" appears in error log of RSA ClearTrust Agent 3.5 for Access Control Module (ACM)
After prompting for a certificate, Internet Explorer displays error "Page cannot be displayed"
CauseThe certificate verification used during SSL handshake incorrectly handles a pathLenConstraint of zero in the X.509 Basic Constraints extension of CA certificates. As a result, SSL handshake in mutually authenticated mode would reject a certificate chain sent by the servers if there were any intermediate signers and if the basic constraints extension did not contain a path length. The path length is optional. If not present, no path length limit should be imposed.
ResolutionThis issue is resolved in hot fix 3.5.0.23 (Windows) and 3.5.0.24 (Linux) for RSA ClearTrust Agent 3.5 for Access Control Module (ACM). The fix upgrades the relevant SSL components. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.
Legacy Article IDa22758

Attachments

    Outcomes