Environment: FF 34.0b2 Build Id:20141020184313 STR: 1. Open http://kuix.de/ca/nss-test-ca.php 2. Check the following on the "Downloading Certificate" dialog: Trust this CA to identify websites Trust this CA to identify email users Trust this CA to identify software developers and click ok 3. Open https://kuix.de:9450 Expected: "Untrusted Connection" error page appears Actual: Secure Connection Failed error page is displayed This bug is a regression from FF 34.0b1 to FF 34.0b2, the fix that seems to be the candidate is https://bugzilla.mozilla.org/show_bug.cgi?id=1058812
I'm pretty sure we're doing the right thing, here. That root certificate uses the nsCertType extension (marked critical), which is deprecated. We only support it in the sense that if it's present and not marked critical, we ignore it, and if it is marked critical, we make sure the certificate also has the standardized extensions that (should) convey the same information. In this case, the root is missing the additional standardized extensions (basic constraints and extended key usage), so we reject it with an "unknown critical extension" error. If you're testing deprecated signature algorithms, I would recommend using https://ssl-md5.mozqa.com/
(In reply to David Keeler (:keeler) [use needinfo?] from comment #1) > If you're testing deprecated signature algorithms, I would recommend using > https://ssl-md5.mozqa.com/ Alternatively, I'm sure we could get Kai to fix https://kuix.de:9450 so it tests what you're intending to test.
David, so, should this be wontfixed? Thanks! I'm cc-ing Kai in case he would like to fix his test.
Well, I would wontfix this, but if there was a specific reason this URL was being used, and if that reason is still important, that might change things. Catalin, does using https://ssl-md5.mozqa.com/ work, or do you need this site (https://kuix.de:9450) to work for something?
Flags: needinfo?(dkeeler) → needinfo?(catalin.varga)
Hi David, https://kuix.de:9450 page was being used by the QA team for a regression test of bug 650355 .
Ok - thanks! Using https://ssl-md5.mozqa.com/ should work fine as a regression test of bug 650355 (you'll have to install/trust the mozqa root certificate as part of step 1/2 instead of the one hosted at kuix.de).
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.