Closed Bug 1106000 Opened 10 years ago Closed 9 years ago

Permanent "SSL peer rejected your certificate as expired."

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
33 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1108408

People

(Reporter: grangen, Unassigned)

Details

(Keywords: regression)

Attachments

(1 file)

NadineGrange-EXTERNAL10027963.crt
2.26 KB, application/x-x509-ca-cert
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141113143407

Steps to reproduce:

FF 33.1.1 / Windows 7 Enterprise SP1
security.use_mozillapkix_verification set to 'false'
Open a new tab
Enter the URL of the secured site (internal site)
Insert the smart card in the driver
Type in the PIN code - PIN code is accepted


Actual results:

The error message is displayed "SSL peer rejected your certificate as expired." and it's impossible to access the site.




Expected results:

The certificate is valid until 2016
I can access the site with IE 8 - No issue
I can access the site with FF 32.0.3 6 - the access seems broken since the 33.0 release

Removing and reloading the PKI module in the Device Manager doesn't help

In bug #1052306 I reported in August, I was asked to switch security.use_mozillapkix_verification to 'false'; switching it back to 'true' doesn't help
Ugh. I should have followed up more when you closed the bug. Sorry for not doing that. pkix can't be turned off anymore, I don't think, which is why the preference doesn't change anything anymore.

David/Brian, can you look into this?
Component: Untriaged → Security: PSM
Flags: needinfo?(dkeeler)
Flags: needinfo?(brian)
Keywords: regression
Product: Firefox → Core
To be clear, the reason I should have followed up is because it was already known that we would switch to pkix, and any problems resulting from using pkix instead of the old cert verification code should be addressed (not just ignored by telling people to switch the pref). The reason I asked was to diagnose if this was related to the switch or not (which it clearly was in the end...).
Flags: needinfo?(brian)
Would you be able to post a copy of the public part of your certificate? (You should be able to do this by going to the certificate manager, finding your certificate in the Your Certificates tab and going to View -> Details -> Export.)
Flags: needinfo?(dkeeler) → needinfo?(grangen)
Attached the requested information
Flags: needinfo?(grangen)
Re-needinfo'ing to make sure this doesn't slip through the cracks again...
Flags: needinfo?(dkeeler)
Thanks for reminding me about this (and thanks for posting the certificate). Unfortunately, I don't see anything problematic about the certificate. I'm trying to get my own smart card set up and working to see if I can replicate the issue, but that's been difficult. I'll keep working and let you know how it goes.

Although, I did just notice that the certificate has an otherName entry in its subject alternative names extension. There was a bug recently with that (bug 1108408) that has been fixed. If you try with a recent nightly build of firefox, does it still fail?
Flags: needinfo?(dkeeler) → needinfo?(grangen)
I haven't received a response, so I'm assuming this issue has been resolved.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(grangen)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: