Closed Bug 1096901 Opened 5 years ago Closed 4 years ago

Secure Connection Failed error page displayed instead of "Untrusted Connection" error page when https://kuix.de:9450/ is opened.

Categories

(Core :: Security: PSM, defect)

34 Branch
defect
Not set

Tracking

()

RESOLVED WONTFIX

People

(Reporter: VarCat, Unassigned)

References

Details

Environment:

FF 34.0b2
Build Id:20141020184313

STR:


1. Open http://kuix.de/ca/nss-test-ca.php
2. Check the following on the "Downloading Certificate" dialog:
   
   Trust this CA to identify websites
   Trust this CA to identify email users
   Trust this CA to identify software developers
   
   and click ok

3. Open https://kuix.de:9450

Expected:
"Untrusted Connection" error page appears

Actual:
Secure Connection Failed error page is displayed

This bug is a regression from FF 34.0b1 to FF 34.0b2, the fix that seems to be the candidate is https://bugzilla.mozilla.org/show_bug.cgi?id=1058812
Blocks: 1058812
I'm pretty sure we're doing the right thing, here. That root certificate uses the nsCertType extension (marked critical), which is deprecated. We only support it in the sense that if it's present and not marked critical, we ignore it, and if it is marked critical, we make sure the certificate also has the standardized extensions that (should) convey the same information. In this case, the root is missing the additional standardized extensions (basic constraints and extended key usage), so we reject it with an "unknown critical extension" error.

If you're testing deprecated signature algorithms, I would recommend using https://ssl-md5.mozqa.com/
(In reply to David Keeler (:keeler) [use needinfo?] from comment #1)
> If you're testing deprecated signature algorithms, I would recommend using
> https://ssl-md5.mozqa.com/

Alternatively, I'm sure we could get Kai to fix https://kuix.de:9450 so it tests what you're intending to test.
David, so, should this be wontfixed?  Thanks!

I'm cc-ing Kai in case he would like to fix his test.
Flags: needinfo?(dkeeler)
Well, I would wontfix this, but if there was a specific reason this URL was being used, and if that reason is still important, that might change things. Catalin, does using https://ssl-md5.mozqa.com/ work, or do you need this site (https://kuix.de:9450) to work for something?
Flags: needinfo?(dkeeler) → needinfo?(catalin.varga)
Hi David, https://kuix.de:9450 page was being used by the QA team for a regression test of bug 650355 .
Flags: needinfo?(catalin.varga)
Ok - thanks! Using https://ssl-md5.mozqa.com/ should work fine as a regression test of bug 650355 (you'll have to install/trust the mozqa root certificate as part of step 1/2 instead of the one hosted at kuix.de).
Looks like this is WONTFIX per comment 4 and comment 6.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.