Error code: sec_error_invalid_key

RESOLVED DUPLICATE of bug 1084606

Status

()

Core
Security: PSM
--
major
RESOLVED DUPLICATE of bug 1084606
3 years ago
3 years ago

People

(Reporter: well.reversed, Unassigned)

Tracking

33 Branch
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141011015303

Steps to reproduce:

https://192.168.1.1


Actual results:

Secure Connection Failed

An error occurred during a connection to 10.0.8.1:8888. The key does not support the requested operation. (Error code: sec_error_invalid_key)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.


Expected results:

I should be allowed to use my own self-signed certificate to access my router! Apparently I'm supposed to use Chrome or Safari now?
(Reporter)

Comment 1

3 years ago
Same behavior on 10.0.8.1, 192.168.1.1, etc.
Severity: normal → major
maybe we could allow to override more things if the target is in an IPv4 private network ?

Reporter: 
What kind of router do you use ?
A self signed certificate is not the problem. You get errors like this only if there is something else wrong with the certificate.
Component: Untriaged → Security: PSM
Product: Firefox → Core

Comment 3

3 years ago
Hi, could you check Bug 1084606 Comment 4 (or at least Comment 3), and see if you get similar results to the reporter there? I suspect that this is a duplicate.

Thanks.
Flags: needinfo?(well.reversed)

Comment 4

3 years ago
on linksys switches https contain self-signed certs (and that is not possible to change) , that not accepted on the new version of firefox & seamonkey ... 
so must have old-style add exceptions ... 
quite URGENT and BLOCKING option, as not possible of local network configurations ... get back to older versions is more security hole, that have own exception definitions ...

Comment 5

3 years ago
also new zyxel swithes affected to that unchangeable self-signed certs ...

Comment 6

3 years ago
(In reply to DaLiV from comment #5)
> also new zyxel swithes affected to that unchangeable self-signed certs ...

Can you please provide examples of the public portions of the affected certs?
Flags: needinfo?(DaLiV)

Comment 7

3 years ago
Modulus (512 bits):
b4 00 b0 ae 73 c0 e2 2d d5 3e a1 bb be 6b 64 d3 
fe a9 fa 77 af 49 8d 03 51 26 4f ed b3 bd 0e 8b 
ee 8d c3 2c ee 5e 58 af 38 d9 85 60 90 8b 7f b5 
c1 17 a3 ad 0a 99 86 83 e6 36 be d1 19 2e bb 7f
Flags: needinfo?(DaLiV)

Comment 8

3 years ago
(In reply to DaLiV from comment #7)
> Modulus (512 bits):
> b4 00 b0 ae 73 c0 e2 2d d5 3e a1 bb be 6b 64 d3 
> fe a9 fa 77 af 49 8d 03 51 26 4f ed b3 bd 0e 8b 
> ee 8d c3 2c ee 5e 58 af 38 d9 85 60 90 8b 7f b5 
> c1 17 a3 ad 0a 99 86 83 e6 36 be d1 19 2e bb 7f

That's not enough to go on; can you provide the full public key info from the cert dialog when using an older version to connect to the site, please?
Flags: needinfo?(DaLiV)

Comment 9

3 years ago
full public cert ... 
-----BEGIN CERTIFICATE-----
MIIBFjCBwaADAgECAgECMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNVBAMTCUdTMTkx
MC00ODAeFw0xMDAxMDEwMDAwMDBaFw0yOTEyMzEwMDAwMDBaMBQxEjAQBgNVBAMT
CUdTMTkxMC00ODBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC0ALCuc8DiLdU+obu+
a2TT/qn6d69JjQNRJk/ts70Oi+6NwyzuXlivONmFYJCLf7XBF6OtCpmGg+Y2vtEZ
Lrt/AgMBAAEwDQYJKoZIhvcNAQEFBQADQQCCeKJKzzGT24JiHmpaX/KGzq1TJkff
Lf1A9ayPApkzlBSIHd8NqGji/ER+RcW8UKyws30T5EqvSdBKYMg/QsFT
-----END CERTIFICATE-----
Flags: needinfo?(DaLiV)

Comment 10

3 years ago
dkeeler, can you help diagnose what's going on here? Thanks!
Flags: needinfo?(dkeeler)

Comment 11

3 years ago
(IMHO) size of cert is 512 ... new security enforcements require 1024 ... exceptions written in seamonkey/firefox for not-met-requirements certs is ignored ...
Looks like the same as bug 1084606 (i.e. 512 bits is too small to be considered secure for an RSA key). We're still working on allowing users who need to connect to devices with this problem an option to continue while still protecting the majority of our users. See bug 1084606 comment 17.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → DUPLICATE
Duplicate of bug: 1084606

Comment 13

3 years ago
(This bug has been marked as a duplicate, so clearing needinfo request).
Flags: needinfo?(well.reversed)
You need to log in before you can comment on or make changes to this bug.