Closed
Bug 903964
Opened 11 years ago
Closed 8 years ago
Connection failed for site with self-signed certificate
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: gvlatyshev, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release) Build ID: 20130725122636 Steps to reproduce: 1. Install server certificate from http://exch.chem.msu.ru/cert/exch.crt 2. go to https://exch.chem.msu.ru/owa/ Actual results: Secure Connection Failed An error occurred during a connection to exch.chem.msu.ru. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. Expected results: Outlook web access login page Note: this is the regression from firefox 22 Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0
Comment 1•11 years ago
|
||
I have reason to believe that your certificate is wrong. It contains the sequence (in DER encoding): 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 02 01 00 This is the encoding of an extension as per http://tools.ietf.org/html/rfc5280#section-4.1 Sequence prefix: 30 0f extnID: 06 03 55 1d 13 (is id-ce-basicConstraints) critical: 01 01 ff (boolean true) extnValue: 04 05 30 03 02 01 00 (octet string with contents 30 03 02 01 00) About the critical: "A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process." The extnValue is a sequence, so for your cert: seq prefix: 30 03 first element: 02 01 00 (i.e. integer with value 256) http://tools.ietf.org/html/rfc5280#section-4.2.1.9 states that the first element must be a boolean. This is missing in your cert. I think that firefox does the right thing, rejecting this certificate. All other browser which accept it are malfunctioning :-)
Updated•11 years ago
|
Assignee: nobody → nobody
Component: Untriaged → Libraries
Product: Firefox → NSS
Version: 23 Branch → trunk
Comment 2•8 years ago
|
||
invalid per comment 1. But please comment if you disagree
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•