Closed
Bug 1028647
Opened 10 years ago
Closed 4 years ago
nss 3.16.1 breaks accessing https://sacoche.ac-caen.fr/
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.17
People
(Reporter: tmb, Assigned: cviecco)
References
Details
Attachments
(1 file, 1 obsolete file)
|
1.33 KB,
patch
|
cviecco
:
review+
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release) Build ID: 20140622015533 Steps to reproduce: Build firefox 24.6 esr or firefox 30 against nss-3.16.1 and try to access https://sacoche.ac-caen.fr/ Actual results: We get the error in browser: sec_error_cert_not_in_name_space, and no way to get past that... Expected results: Building the same firefox aganst nss.3.16.0 shows https://sacoche.ac-caen.fr/ properly with valid ssl certificate
|
Reporter | |
Comment 1•10 years ago
|
||
and it seems to be a fallout of: * Imposed name constraints on the French government root CA ANSSI (DCISS) https://bugzilla.mozilla.org/show_bug.cgi?id=952572 https://hg.mozilla.org/projects/nss/rev/742307da0792
|
|
Reporter | |
Comment 2•10 years ago
|
||
And I've now confirmed that reverting: https://hg.mozilla.org/projects/nss/rev/742307da0792 makes https://sacoche.ac-caen.fr/ accessible again
|
||
Comment 3•10 years ago
|
||
Camilo: please take a look at this bug. Thanks.
Assignee: nobody → cviecco
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → 3.16.3
|
||
Comment 4•10 years ago
|
||
Bug 952572 constrained the root certificate to issueing certificates for domain names to a set of top level domains (TLDs). The server at sacoche.ac-caen.fr returns a certificate chain, where the topmost certificate has the following properties: Issuer: "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" Subject: "CN=AC Education Nationale,OU=110 043 015, O=Ministere Education Nationale (MENESR),C=FR,E=igc@orion.education.fr" (no subject alt name extension) The cert has been issued by the restricted issuer. The subject name (CN) isn't a domain name, and therefore doesn't match the restriction.
|
|
||
Comment 5•10 years ago
|
||
The code added in bug 952572 doesn't support the scenario where intermediate CA certificates are used, which don't use a hostname. (If a constrained intermediate CA cert contained an allowed hostname, would the constraint be enforced to all subordinate certificates, too?)
|
Assignee | |
Comment 6•10 years ago
|
||
Actually there is at least one problem comes that from the leaf cert: I has two dns entries: DNS:sacoche.ac-caen.fr, DNS:sacoche Per name constraints the second entry is not covered, the cert is invalid.
|
|
Assignee | |
Comment 7•10 years ago
|
||
Kaie, I think your analysis is incorrect. Yes the code added in bug 952572 does not add anything about intermediates as that is covered by CERT_CompareNAmeSpace. There this revealed a bug in mozilla::pkix regarding ANSSI roots (Bug 1030204). We do cover the case of intermediate certiticates without names. >If a constrained intermediate CA cert contained an allowed hostname, would the constraint be enforced >to all subordinate certificates, too?) yes. (this was being tested on psm testing code for nss until this week). $PATH/bin/vfychain -u 1 -a /tmp/sacoche.ac-caen.fr.pem -a /tmp/AC-Infrastructures.pem -a /tmp/AC-Enseignement-Scolaire.pem -a /tmp/AC-Education-Nationale.pem Chain is bad! PROBLEM WITH THE CERT CHAIN: CERT 4. CN=sacoche.ac-caen.fr,OU=ac-caen,OU=110 043 015,O=Ministere Education Nationale (MENESR),C=FR [Certificate Authority]: ERROR -8080: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. $PATH/bin/vfychain -u 3 -a /tmp/AC-Infrastructures.pem -a /tmp/AC-Enseignement-Scolaire.pem -a /tmp/AC-Education-Nationale.pem Chain is good!
|
|
||
Comment 8•10 years ago
|
||
Camilo: 1. I have a question about a comment in tests/chains/scenarios/nameconstraints.cfg. I also fixed what seems like a typo in tests/libpkix/certs/make-nc. 2. The dcissblocked and dcissallowed test certs are issued directly by the root CA. Please add test cases that have an intermediate CA.
Attachment #8445985 -
Flags: review?(cviecco)
|
|
Assignee | |
Comment 9•10 years ago
|
||
Comment on attachment 8445985 [details] [diff] [review] Fix comments in test scripts Review of attachment 8445985 [details] [diff] [review]: ----------------------------------------------------------------- ::: tests/chains/scenarios/nameconstraints.cfg @@ +7,5 @@ > db trustanchors > > import NameConstraints.ca:x:CT,C,C > import NameConstraints.ncca:x:CT,C,C > +# XXX Is this comment referring to NameConstraints.dcisscopy? No this is to ncca.
Attachment #8445985 -
Flags: review?(cviecco) → review+
|
|
Assignee | |
Comment 10•10 years ago
|
||
Sure I will write the intermediate tests.
|
|
||
Updated•10 years ago
|
Target Milestone: 3.16.3 → 3.17
|
|
||
Comment 11•10 years ago
|
||
I moved the comment before the ncca line.
Attachment #8445985 -
Attachment is obsolete: true
Attachment #8446283 -
Flags: review?(cviecco)
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8446283 -
Flags: review?(cviecco) → review+
|
|
||
Comment 12•10 years ago
|
||
Comment on attachment 8446283 [details] [diff] [review] Fix comments in test scripts, v2 Patch checked in: https://hg.mozilla.org/projects/nss/rev/b47135fe72d4
Attachment #8446283 -
Flags: checked-in+
|
||
Comment 13•4 years ago
|
||
This looks like the same issue as bug 1048267. There was an issue with the website's certificate, and after it was updated, the site could load. So this should be resolved.
The other bug was marked INVALID, but this one did have a patch committed (comments only). I guess FIXED would work for this bug.
Flags: needinfo?(jjones)
|
||
Comment 14•4 years ago
|
||
Agreed, thanks.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jjones)
QA Contact: jjones
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•