Closed Bug 1109442 Opened 10 years ago Closed 10 years ago

"sec_error_reused_issuer_and_serial" instead of "sec_error_bad_signature"

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
33 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 435013

People

(Reporter: c+fx, Unassigned, NeedInfo)

Details

Attachments

(1 file)

bc2025.pem Baltimore Root
1.25 KB, text/plain
Details 
:To recreate:
configure a server to use TLS to send a valid cert and chain including a root CA certificate that has the last 21 bytes at the end of the signature zero'd out. (example attached)

:what happened:
received sec_error_reused_issuer_and_serial, connection cannot continue

:what should happen:
The signature on the root should be validated, (which in this case would fail) or the entire root ignored and looked up in the trust store. This should not be a "sec_error_reused_issuer_and_serial" issue because, the purported "duplicate" leaf doesn't chain to a valid root.
This is a result of an architectural shortcoming in the way NSS handles certificates. NSS assumes that there will never be two certificates where the pair <issuer, serial number> is the same but the contents of the certificates differ elsewhere (which is exactly the situation you're encountering). Unfortunately as far as we know there's no easy fix.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Certificate installed on the server tha Thunderbird is connecting to.
Flags: needinfo?(c+fx)
Do you mind adding clarify by attaching Root certificate in the example? We are running into this message in Error Console of Thunderbird 31.4; trying proposed workaround of removing cert8.db did not work so far.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: