|Applies To||RSA ClearTrust Agent 3.5 for Access Control Module (ACM)|
Certificate Extension: Basic Constraints Path length = 0
|Issue||Error: "Certificate Verification: Error (25): non-critical basic constraint failure" appears in error log of RSA ClearTrust Agent 3.5 for Access Control Module (ACM)|
After prompting for a certificate, Internet Explorer displays error "Page cannot be displayed"
|Cause||The certificate verification used during SSL handshake incorrectly handles a pathLenConstraint of zero in the X.509 Basic Constraints extension of CA certificates. As a result, SSL handshake in mutually authenticated mode would reject a certificate chain sent by the servers if there were any intermediate signers and if the basic constraints extension did not contain a path length. The path length is optional. If not present, no path length limit should be imposed.|
|Resolution||This issue is resolved in hot fix 18.104.22.168 (Windows) and 22.214.171.124 (Linux) for RSA ClearTrust Agent 3.5 for Access Control Module (ACM). The fix upgrades the relevant SSL components. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.|
|Legacy Article ID||a22758|