Closed
Bug 1048267
Opened 10 years ago
Closed 10 years ago
Certificate error since Firefox 31 "sec_error_cert_not_in_name_space" and cannot add exception
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: nico286, Assigned: igca)
References
Details
Attachments
(1 file)
|
2.14 KB,
application/x-x509-ca-cert
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release) Build ID: 20140716183446 Steps to reproduce: Since I have updated Firefox 30 to Firefox 31 (windows), I can't access to certain https websites. Actual results: I get an error "sec_error_cert_not_in_name_space" and I see no way to add an execption. If I try to access fo thoses websites with an other brower, it works. Example of public URL i can't access to : https://sacoche.ac-caen.fr/ My OS is Windows seven Expected results: I expect the page load correcty, or a warning page to add an exception.
It's due to bug 1030204 (see 1st comment). I guess it's the normal behaviour now.
|
||
Comment 2•10 years ago
|
||
Kathleen, does this mean that sacoche.ac-caen.fr still isn't using the proper certificate?
Flags: needinfo?(kwilson)
|
||
Comment 3•10 years ago
|
||
(In reply to David Keeler (:keeler) [use needinfo?] from comment #2) > Kathleen, does this mean that sacoche.ac-caen.fr still isn't using the > proper certificate? Sorry, I don't understand the question. Here's my current understanding... sacoche.ac-caen.fr <- AC Infrastructures <- AC Enseignement Scolaire <- AC Education Nationale <- IGC/A (DCSSI) this cert validity is Not Before: (2/4/14, 13:57:20 GMT) Not After: (2/4/16, 13:57:20 GMT) According to Bug #952572 and Bug #1030204 the IGC/A (DCSSI/ANSSI) root is constrained to: .fr, .gp, .gf, .mq, .re, .yt, .pm, .bl, .mf, .wf, .pf, .nc, .tf So sacoche.ac-caen.fr should be fine. I thought the way the constraints were implemented for this root would not require new certs.
Flags: needinfo?(kwilson)
|
||
Comment 4•10 years ago
|
||
(In reply to David Keeler (:keeler) [use needinfo?] from comment #2) > Kathleen, does this mean that sacoche.ac-caen.fr still isn't using the > proper certificate? Keeler you are correct. Look at the alt-names in the cert. It includes saoche which is NOT on the constrained name space.
|
|
||
Comment 5•10 years ago
|
||
|
|
||
Comment 6•10 years ago
|
||
From the cert:
....
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:sacoche.ac-caen.fr, DNS:sacoche
Authority Information Access:
CA Issuers - URI:http://www.igc.education.fr/Infrastructures.crt
X509v3 Authority Key Identifier:
keyid:BE:38:22:7F:72:46:A9:D6:84:15:9F:D5:C8:28:7F:5C:B3:02:20:CB
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.20326.69.1.1.4.1
----|
|
||
Comment 7•10 years ago
|
||
Thank you for the clarification. Assigning to the CA, because their customer needs a new cert that does not have "DNS:sacoche" in the SAN.
Assignee: nobody → igca
Thank you for your help But even if the certificate has a problem, why can't we add an exception? is there a way to skip this problem and display the web page anyway?
|
|
||
Comment 10•10 years ago
|
||
Essentially, the certificate verification library can't (in general) distinguish between this mistake and an attack where a rogue CA issues a certificate for something not in its allowed namespace. As a result, this is not something Firefox would allow certificate exceptions for.
|
Reporter | |
Comment 11•10 years ago
|
||
Mh ok, thank you But if the user want to load the website anyway, firefox should allow the user to add exception. Even if it thinks that it's an attack. The user have the final word.
|
||
Comment 12•10 years ago
|
||
Hello, I agree with Nico286. Some of existing déploiements use this kind of certificates and should stay accessible without having to juggle different browsers. I know that human factor can drive to less secured environments, but all technicians are not incompetent and these decisions should stay under human control.
|
|
||
Comment 13•10 years ago
|
||
The proper solution to this particular problem is to replace the SSL certificate with a cert that has correct DNS entries in the SAN. I have sent email to the CA to ask them to get this resolved.
|
|
||
Comment 14•10 years ago
|
||
The CA worked with their customer, and resolved the problem on August 19th. I tested by browsing to https://sacoche.ac-caen.fr/ in Firefox 32 -- no errors.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Comment 15•10 years ago
|
||
OK... but as far as I am concerned, i don't care sacoche.ac-caen.fr :) I have the same problem with several other sites. +1 for Nico286'suggestion : the final user, once advised, should be able to decide wether or not Firefox should display the website.
|
|
Reporter | |
Comment 16•10 years ago
|
||
Hello Indeed sacoche.ac-caen.fr was only an example. I have the problem with an internal website and I noticed it on several other sites. It's allways the same message : "sec_error_cert_not_in_name_space" sacoche.ac-caen.fr works now, but only sacoche.ac-caen.fr, the problem is not solved :/ No way to display websites with "sec_error_cert_not_in_name_space" error, while other browsers have no problem to do it.
Resolution: FIXED → INVALID
|
||
Comment 17•10 years ago
|
||
Could you try with a clean profile, please. https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
Flags: needinfo?(nico286)
|
|
||
Comment 18•10 years ago
|
||
Just tried these steps : 1) Close Firefox (31.0) 2) Run "Firefox.exe -p" 3) Create a new profile called "Test", uncheck "use as default" 4) Run firefox.exe and choose the "Test" profile. These steps didn't solve the problem (still can't access several sites with the same message "sec_error_cert_not_in_name_space")
|
|
||
Comment 19•10 years ago
|
||
Please list the sites that are failing, so the CA can work with their customers to get their certificates fixed.
|
|
||
Comment 20•10 years ago
|
||
I don't want to list such sites because, in my opinion, it is not the good way to deal with this problem. As nico286 said, the problem is not only for public websites, but it can impact internal sites, intra/extranet etc... Moreover I suppose the www is plenty of this kind of sites. If Firefox is not able to ask me wether or not I agree to access a site that seems to be risky, well I may consider switching to another favorite browser, with regrets though.
|
|
Reporter | |
Comment 21•10 years ago
|
||
I tried with google Chrome, https works, but when I go to the certificate details, it show more details in red color : "The identity of this website has not been verified. The identity of the server you are connected to cannot be fully validated. You are connected to a server using a name only valid within your network, which an external certificate authority has no way to validate ownership of. As some certificate authorities will issue certificates for these names regardless, there is no way to ensure you are connected to the intended website and not an attacker." I think it's the same problem described here : http://serverfault.com/questions/545935/chrome-displays-ssl-error-due-to-use-of-local-top-level-domain So in my case, it doesn't works because it's a local website that implies local DNS ? what can I do ?
Flags: needinfo?(nico286)
|
|
||
Comment 22•10 years ago
|
||
(In reply to nico286 from comment #21) > So in my case, it doesn't works because it's a local website that implies > local DNS ? what can I do ? That sounds like a different problem, such as Bug #1034124 The problem in this bug was that the SSL cert had a DNS entry in the SAN that was not allowed as per the CA's constraints. -- See Comment #7
|
||
Comment 23•10 years ago
|
||
I also encounter this bug in firefox 24.8.1 and 34.0a2 (aurora) on debian x86_64 when I try to browse some internal website of my company. I would have expected firefox to prompt the usal "this connection is untrusted" window it shows when a certificate issue appears and allow me to override it. It's really painful to be forced to close my favorite browser and use another one (e.g. chromium) which let me override this.
|
|
||
Comment 24•10 years ago
|
||
(In reply to vey.quentin from comment #23) > I also encounter this bug in firefox 24.8.1 and 34.0a2 (aurora) on debian > x86_64 when I try to browse some internal website of my company. > > I would have expected firefox to prompt the usal "this connection is > untrusted" window it shows when a certificate issue appears and allow me to > override it. > > It's really painful to be forced to close my favorite browser and use > another one (e.g. chromium) which let me override this. Can you post the problematic certificates?
|
|
||
Comment 25•10 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #24) > (In reply to vey.quentin from comment #23) > > I also encounter this bug in firefox 24.8.1 and 34.0a2 (aurora) on debian > > x86_64 when I try to browse some internal website of my company. > > > > I would have expected firefox to prompt the usal "this connection is > > untrusted" window it shows when a certificate issue appears and allow me to > > override it. > > > > It's really painful to be forced to close my favorite browser and use > > another one (e.g. chromium) which let me override this. > > Can you post the problematic certificates? Well, 1- I don't know how to extract this certificate. Could you tell me how ? 2- Whatever the certificate is, the behaviour I expect from firefox is to let me override the certificate check and continue even if the certificate is ill-formed/invalid for this address. (+1 for Nico286) This is a lack of consistency, the user can add any unknown certificate from the web (even malicious ones) with just a nice warning like "banks and legitimate sites won't ask you to do so" but can't override this "sec_error_cert_not_in_name_space" on a private corporate network for a non-critical service.
|
|
||
Comment 26•10 years ago
|
||
+1 again...
|
||
Comment 27•10 years ago
|
||
There is an Export button in the Details tab in the certificate viewer.
|
|
||
Comment 28•10 years ago
|
||
and so... ? One more time, problem exposed here is not related to one certificate or another, it just points that user is unable to bypass this new security feature.
|
|
||
Comment 29•10 years ago
|
||
Eyh, why is this "resolved" ? To my opinion it is neither resolved nor invalid.
|
|
||
Comment 30•10 years ago
|
||
(In reply to Yuhong Bao from comment #27) > There is an Export button in the Details tab in the certificate viewer. In the meantime the certificate on my corporate network has been updated and generates now a ssl_error_bad_cert_domain, which is easily overridable, so I can't send the faulty one.
|
||
Comment 31•9 years ago
|
||
I can't get to tons of basic popular sites using FF. Everytime I have to right-click and copy the Link Location and use another browser (Chrome). FF 38.3.0 Error: Secure Connection Failed: sec_error_cert_not_in_name_space Sample URL: https://www.wikipedia.org
|
|
||
Comment 32•9 years ago
|
||
(In reply to MTemple from comment #31) > I can't get to tons of basic popular sites using FF. > Everytime I have to right-click and copy the Link Location and use another > browser (Chrome). > > FF 38.3.0 > Error: Secure Connection Failed: sec_error_cert_not_in_name_space > Sample URL: https://www.wikipedia.org This is discussed in bug 1179495.
You need to log in
before you can comment on or make changes to this bug.
Description
•