Closed
Bug 287760
Opened 19 years ago
Closed 6 months ago
OCSP signature verification issue - error 8182 SEC_ERROR_BAD_SIGNATURE
Categories
(NSS :: Libraries, defect, P5)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: hari.nair, Assigned: rrelyea)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 'm trying to get the Firefox browser to check client certificates via OCSP to a Tumbleweed OCSP Responder. I can see the browser make a query to the Responder, and see that the Responder accepts the request and issue a response (with the proper status). Firefox, however, is not happy with the response, and spits out a generic "8182" error which seems to indicate that it could not verify the signature on the response. I have tried directly adding the responder's signing certificate into Firefox's certificate stores, as well as just having the browser trust the issuing CA of the responder cert - without any change in behavior. Anybody know what I could be missing? Do I have to get my responder cert issued off a CA that Firefox trusts as a "built-in" CA - one that Firefox is compiled with and pre-configured to trust? Or can I just add my own CA certificate as a "software token" that the browser can be configured to trust? Reproducible: Always Steps to Reproduce: 1.Configure a Responder with a self signed certificate, or a delegated certificate issued off a local CA [not trusted within the browser's trust database] 2.Add the responder's self-signed certificate, or the issuing CA's certificate into the browser's trust database 3.Invoke validation by visiting a secure site over SSL Actual Results: Error code of -8182 returned, and browser refused to display page of secure server Expected Results: Brower should have been able to verify response from the OCSP responder.
Comment 1•19 years ago
|
||
This sounds more like a call for help than a bug. Try the newsgroups forums from http://www.mozilla.org/support/#community -- for this case the netscape.public.mozilla.crypto newsgroup. All the filed bugs that mention this error code (except bug 249004) ended up INVALID or WORKSFORME so it sounds like it's fairly common people set this stuff up wrong when they try to make their own certs. https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=product&type0-0-0=substring&value0-0-0=8182&field0-0-1=component&type0-0-1=substring&value0-0-1=8182&field0-0-2=short_desc&type0-0-2=substring&value0-0-2=8182&field0-0-3=status_whiteboard&type0-0-3=substring&value0-0-3=8182 If the n.p.m.crypto guys confirm the bug have them reopen this with better technical details of the flaw.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Component: Security → Libraries
Product: Firefox → NSS
Resolution: --- → INVALID
Comment 2•19 years ago
|
||
It would help if the reporter could supply, as attachments to this bug: - a CA cert to trust in the browser - an OCSP cert - a internet-facing website with appropriate SSL cert.
Comment 3•19 years ago
|
||
More information sent to me by reporter: http://ocsp.disa.mil/ - welcome page and also port that OCSP queries are sent to. http://ocsp.disa.mil/~stats - stats page http://ocsp.disa.mil/getvaconfig?ocsp -- to fetch the configuration information, which returns back to Desktop Validator the self-signed certificate or CA delegated certificate. And... This cert below is both the OCSP responder certificate and the CA certificate for the purpose of validation of the signed OCSP response. It should be handled in a similar way to directly trusted SSL sites. -----BEGIN CERTIFICATE----- MIICnTCCAgagAwIBAgIBADANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJ1czEL MAkGA1UECBMCVFgxFDASBgNVBAcTC1NhbiBBbnRvbmlvMRMwEQYDVQQKEwpBRiBQ S0kgU1BPMQ0wCwYDVQQLEwRVU0FGMSYwJAYDVQQDEx1odHRwOi8vdXNhZm9jc3Au c2F0eC5kaXNhLm1pbDAeFw0wMzA3MjQxNTE1MzRaFw0wNjA5MTExNTE1MzRaMHwx CzAJBgNVBAYTAnVzMQswCQYDVQQIEwJUWDEUMBIGA1UEBxMLU2FuIEFudG9uaW8x EzARBgNVBAoTCkFGIFBLSSBTUE8xDTALBgNVBAsTBFVTQUYxJjAkBgNVBAMTHWh0 dHA6Ly91c2Fmb2NzcC5zYXR4LmRpc2EubWlsMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDBaP+xid/31h4E3ZznnXjH/i+pYJy8RPxKbAtrRijssMeYkAYNMiov c9IzXTvRnRxLqgylW+t/nVoDq49r5RTvunpIrGApy4YN601guhltHkjxUzgyH8Rb O8l8Ub1RDgVDs6dHEfEL+Ile8ieHRVP68nsckv91YI1axLaSUgCgmQIDAQABoy8w LTAJBgNVHRMEAjAAMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDCTAN BgkqhkiG9w0BAQUFAAOBgQCO7T2QLkSnqnKb1vKRPxrHfxWqT7d24ZuoTliFPt5k 8Ic/bruiSseesfgyaIf96fw2htrA4CnsxwXYMkA2IVZxqWepV9d3oz76ZKz0q1wk aDglpHGGLZrxxvEIYSCjXwyiCFUvyfLXahnbQMdlVDxDJF7b3K2gNQRW9UVoBjg5 Nw== -----END CERTIFICATE----- I will look at this to determine if there is merit to reopen the bug.
Comment 4•19 years ago
|
||
Steve, I have been able to reproduce this problem with our CA and OCSP. re-opening this bug.
Updated•19 years ago
|
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Updated•19 years ago
|
Assignee: dveditz → wtchang
Status: UNCONFIRMED → NEW
Ever confirmed: true
Also working with tumbleweed OCSP with firefox. Problem is, no option given to continue on a website if OCSP is not available. ex: https://bugzilla.mozilla.org after requiring use of OCSP is selected "Error trying to validate certificate from bugzilla.mozilla.org using OCSP - unknown certificate" I don't see any option setting available for this to be only a warning instead of a stop alert
Updated•18 years ago
|
QA Contact: firefox → libraries
Comment 7•15 years ago
|
||
BTW, error -8182 is SEC_ERROR_BAD_SIGNATURE
Summary: OCSP signature verification issue - error 8182 → OCSP signature verification issue - error 8182 SEC_ERROR_BAD_SIGNATURE
Comment 8•15 years ago
|
||
See also bug 341004 which reports that error SEC_ERROR_BAD_SIGNATURE is the wrong error code to report for some OCSP and CRL revocation situations.
Comment 9•2 years ago
|
||
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.
Severity: major → --
Updated•6 months ago
|
Severity: -- → S4
Status: NEW → RESOLVED
Closed: 19 years ago → 6 months ago
Priority: -- → P5
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•