Closed
Bug 1109442
Opened 10 years ago
Closed 10 years ago
"sec_error_reused_issuer_and_serial" instead of "sec_error_bad_signature"
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 435013
People
(Reporter: c+fx, Unassigned, NeedInfo)
Details
Attachments
(1 file)
1.25 KB,
text/plain
|
Details |
:To recreate: configure a server to use TLS to send a valid cert and chain including a root CA certificate that has the last 21 bytes at the end of the signature zero'd out. (example attached) :what happened: received sec_error_reused_issuer_and_serial, connection cannot continue :what should happen: The signature on the root should be validated, (which in this case would fail) or the entire root ignored and looked up in the trust store. This should not be a "sec_error_reused_issuer_and_serial" issue because, the purported "duplicate" leaf doesn't chain to a valid root.
This is a result of an architectural shortcoming in the way NSS handles certificates. NSS assumes that there will never be two certificates where the pair <issuer, serial number> is the same but the contents of the certificates differ elsewhere (which is exactly the situation you're encountering). Unfortunately as far as we know there's no easy fix.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Comment 2•9 years ago
|
||
Certificate installed on the server tha Thunderbird is connecting to.
Flags: needinfo?(c+fx)
Comment 3•9 years ago
|
||
Do you mind adding clarify by attaching Root certificate in the example? We are running into this message in Error Console of Thunderbird 31.4; trying proposed workaround of removing cert8.db did not work so far.
You need to log in
before you can comment on or make changes to this bug.
Description
•