Closed Bug 903964 Opened 11 years ago Closed 8 years ago

Connection failed for site with self-signed certificate

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: gvlatyshev, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130725122636

Steps to reproduce:

1. Install server certificate from http://exch.chem.msu.ru/cert/exch.crt
2. go to https://exch.chem.msu.ru/owa/


Actual results:

Secure Connection Failed
An error occurred during a connection to exch.chem.msu.ru.
security library: improperly formatted DER-encoded message.
(Error code: sec_error_bad_der)
  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.


Expected results:

Outlook web access login page

Note: this is the regression from firefox 22

Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0
I have reason to believe that your certificate is wrong.
It contains the sequence (in DER encoding):
30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 02 01 00

This is the encoding of an extension as per http://tools.ietf.org/html/rfc5280#section-4.1

Sequence prefix: 30 0f
extnID: 06 03 55 1d 13  (is id-ce-basicConstraints)
critical: 01 01 ff (boolean true)
extnValue: 04 05 30 03 02 01 00 (octet string with contents 30 03 02 01 00)

About the critical: "A
   certificate-using system MUST reject the certificate if it encounters
   a critical extension it does not recognize or a critical extension
   that contains information that it cannot process."

The extnValue is a sequence, so for your cert:
seq prefix: 30 03
first element: 02 01 00 (i.e. integer with value 256)

http://tools.ietf.org/html/rfc5280#section-4.2.1.9 states that the first element must be a boolean. This is missing in your cert.
I think that firefox does the right thing, rejecting this certificate. All other browser which accept it are malfunctioning :-)
Assignee: nobody → nobody
Component: Untriaged → Libraries
Product: Firefox → NSS
Version: 23 Branch → trunk
invalid per comment 1.
But please comment if you disagree
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.