Closed Bug 1051727 Opened 10 years ago Closed 10 years ago

X509v4 certificates are rejected with "sec_error_extension_value_invalid"

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
31 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1047177

People

(Reporter: spider, Unassigned, NeedInfo)

Details

Attachments

(1 file)

testv4.tar
30.00 KB, application/x-tar
Details
Attached file testv4.tar 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140717120014

Steps to reproduce:

* Generate a certificate+CA with a x509v4 header
* Make sure it has extensions
* Get sec_error_extension_value_invalid error when connecting Firefox 31.0 against it



Actual results:

It seems we had an off by one error on cert generation in our code, causing our local CA + x509 certificates to be version 4 (0x03) rather than version 3.

This went undiscovered for a while until Firefox 31 hit and we cannot use our internal infrastructure due to error : sec_error_extension_value_invalid

Certificate extension value is invalid. (Error code: sec_error_extension_value_invalid)


Expected results:

A different kind of error ( Version 4 not supported ) or otherwise handling the error with a proper error message would be good.

Other than that, how will Firefox deal with the next x509 spec? Is it acceptable to fail to authenticate with all future versions of x509? Do we really want Mozilla/Firefox teams to make another "you can't upgrade to Foo.new because Firefox won't work" The way  windows XP and SNI has hampered the rest of the world from adopting TLS?


Further on, it would be -REALLY- helpful if Firefox allowed you to -export- the invalid certificates so you could see -what it complains about-  

Currently, firefox refuses to show data about a certificate it doesn't like, because it doesn't like that certificate, leading to funnny debugging nightmares.  

Attached are a CA + client + server certificates that demonstrate this.
I've not looked at your Certificates (I don't have enough expertise).

Bug 1047177 looks very similar to me.

See Bug 1047177 comment # 11 (and 12).

Have you tried using about:config to change the setting
"security.use_mozillapkix_verification" to "false"
in Firefox 31 as a workaround?

This workaround, using the older code, will not work in Fx33+ as the older methods
are being removed.


https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/

https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification
This wiki has recently been clarified in light of the recent changes.

https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing

Since mozilla::pkix became the default for Certificate Verification,
in Fx 31, there have been quite few bugs reported.

DJ-Leith
( Same user, different account)

We're not interested in workarounds, we're mostly concerned about forwards compliancy with future versions of the x509 spec and to not create a broken upgrade path.

However, as a datapoint I can verify that changing that key makes the certificates pass as working. (With the usual complaints, click, check verify do the silly dance of untrusted, yadda)

Again, changing our cert infrastructure isn't a hard job ( a bit cumbersome, but something we do regularly )  however, un-breaking a situation where in the face of an upgraded x509 spec -all- older Firefox browsers break down, is not going to be a fun state of the internet.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
This is still not fixed. Just upgraded to 33.0 and I still get this error:
Secure Connection Failed
An error occurred during a connection to 192.168.2.1. The key does not support the requested operation. (Error code: sec_error_invalid_key)
___
my local router is with a self signed cert - what could possible be a security concern here and why should I pay Verisign $$ for a recognised cert, to make Firefox 33.0 work with my router that has been working for years?!?
Can you please fix this? This is ridiculous...
sec_error_invalid_key is a different issue. It probably means that the router's key is too small to offer (very) useful protection. 

Please try Firefox Nightly: https://nightly.mozilla.org/. If it works in Firefox Nightly then it's just a matter of time until it is fixed in a release version of Firefox. (I don't recommend using Firefox Nightly for normal browsing though.) Please report back the results. Thanks!
Flags: needinfo?(dian)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: