nolp.dhl.de sends an intermediate certificate with an invalid name constraints extension

RESOLVED FIXED

Status

Tech Evangelism
Desktop
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: Hartmut Figge, Assigned: Steve Roylance)

Tracking

({regression})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

4 years ago
Trying to contact https://amsel.dpwn.net/ with my Trunk-SM Linux x86_64 i get

Secure Connection Failed
An error occurred during a connection to amsel.dpwn.net.
security library: improperly formatted DER-encoded message.
(Error code: sec_error_bad_der)

Regression range is
Last good: 2014-12-09 17:42:00 PST   c-c:88bde0fc609a m-c:d7c76fe69e9a
First bad: 2014-12-10 16:09:00 PST   c-c:2e3eb4f336d0 m-c:0cf461e62ce5

The bug was confirmed by a user with FF on Windows NT 6.1.

Comment 1

4 years ago
I can confirm that for the actual Firefox-trunk on Windows.
(Reporter)

Comment 2

4 years ago
There was a change to the error message in the range
2014-12-20 17:22:00 PST   c-c:7bc453bb4cdd m-c:7b33ee7fd162
2014-12-22 05:39:00 PST   c-c:8d3f8239c7b7 m-c:c357fb08cc10

The above mentioned message occurs with builds >= this range, for builds <= this range the message is

Secure Connection Failed
An error occurred during a connection to amsel.dpwn.net. The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space)
The intermediate certificate with subject 'C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS CA I3', issuer 'C=BE, OU=Trusted Root, O=GlobalSign nv-sa, CN=Trusted Root CA G2', and serial number '40:cd:73:67:81:99:e2:07:f0:a5:0b:54:63:27:b7:35:ed' has a name constraints extension containing (among many others) dNSName 'leserservice-media.de ' and dNSName 'leserservice-sicherheitsabo.de ' (note the trailing space on both of those). These are not valid DNS names, and so the entire extension is considered invalid.
Duplicate of this bug: 1120097
Kathleen, do you know who we can reach out to to fix this intermediate? (see comment 3)
Flags: needinfo?(kwilson)

Comment 6

3 years ago
Steve, Please see Comment #3.
Assignee: nobody → steve.roylance
Flags: needinfo?(kwilson)
(Assignee)

Comment 7

3 years ago
I will reach out to my colleagues at DHL and ask them to correct the intermediate certificate in the chain.  The one sent by the web server has been replaced to remove the spaces but it seems this web server did not have that one updated.   The latest CA was created in September 2014 and has serial number ‎2c 05 48 16 6d 0c 59 96 07 f9 2b fc 55 ff 88 aa 43

Thanks for pointing this out.

Comment 8

3 years ago
This still appears to be an issue.
Component: Security → Desktop
Product: Core → Tech Evangelism
Summary: Trunk: Secure Connection Failed → amsel.dpwn.net sends an intermediate certificate with an invalid name constraints extension
(Assignee)

Comment 9

3 years ago
Agreed.  It should have been corrected so I'll ask the team again to fix.

https://www.ssllabs.com/ssltest/analyze.html?d=amsel.dpwn.net&hideResults=on shows the fingerprint of the issuing CA as 0fcc78fbbca9f32b08b19b032b84f2c86a128f35 i.e. serial number 40cd73678199e207f0a50b546327b735ed

https://www.ssllabs.com/ssltest/analyze.html?d=partnerportal-deutschepost.de&hideResults=on shows the fingerprint of 57c6cbc9f3b628e0fd5ab4371d9b16440e1bd391 i.e. serial number ‎2078f77a210adcad57ae9bb5bafb41baf1 which is the corrected version of the CA.
Trying this URL of the mail tracking system of German Post...

https://www.deutschepost.de/sendung/simpleQuery.html

...I still get sec_error_bad_der

Which means that mail tracking of registered letters, parcels etc. is not available to all up-to-date Firefox users. Is it this bug? Whom can I contact to push them into fixing this?

> Fehler: Gesicherte Verbindung fehlgeschlagen
> 
> Ein Fehler ist während einer Verbindung mit www.deutschepost.de aufgetreten. Sicherheitsbibliothek:
> Fehlerhaft formatierte DER-verschlüsselte Nachricht. (Fehlercode: sec_error_bad_der)
> 
> Die Website kann nicht angezeigt werden, da die Authentizität der erhaltenen Daten nicht verifiziert
> werden konnte.
> Kontaktieren Sie bitte den Inhaber der Website, um ihn über dieses Problem zu informieren.
Steve, would you be able to help with comment 10?
Flags: needinfo?(steve.roylance)
(Assignee)

Comment 12

3 years ago
(In reply to Thomas D. from comment #10)
> Trying this URL of the mail tracking system of German Post...
> 
> https://www.deutschepost.de/sendung/simpleQuery.html
> 
> ...I still get sec_error_bad_der
> 
> Which means that mail tracking of registered letters, parcels etc. is not
> available to all up-to-date Firefox users. Is it this bug? Whom can I
> contact to push them into fixing this?
> 
> > Fehler: Gesicherte Verbindung fehlgeschlagen
> > 
> > Ein Fehler ist während einer Verbindung mit www.deutschepost.de aufgetreten. Sicherheitsbibliothek:
> > Fehlerhaft formatierte DER-verschlüsselte Nachricht. (Fehlercode: sec_error_bad_der)
> > 
> > Die Website kann nicht angezeigt werden, da die Authentizität der erhaltenen Daten nicht verifiziert
> > werden konnte.
> > Kontaktieren Sie bitte den Inhaber der Website, um ihn über dieses Problem zu informieren.

I'm trying to push some other people in the team to resolve this.  Note that Firefox 36 is OK.  It's 37 that is more particular on these areas.
Flags: needinfo?(steve.roylance)

Comment 13

3 years ago
We have exactly the same problem now with Firefox 37.0.1, like Steve Roylance reported, but with an other URL:

https://nolp.dhl.de/nextt-online-public/set_identcodes.do

But not with all Firefox installations. On my Notebook with Windows 8.1 it works. The problem appears only on our terminal server under Windows 2008 R2. 

Please fix this problem or give me an info how to solve this.
(Assignee)

Comment 14

3 years ago
(In reply to Netsroht from comment #13)
> We have exactly the same problem now with Firefox 37.0.1, like Steve
> Roylance reported, but with an other URL:
> 
> https://nolp.dhl.de/nextt-online-public/set_identcodes.do
> 
> But not with all Firefox installations. On my Notebook with Windows 8.1 it
> works. The problem appears only on our terminal server under Windows 2008
> R2. 
> 
> Please fix this problem or give me an info how to solve this.

This seems to be the 'space' in the name constraints issue that I referred to earlier.  The issuing CA in the chain sent by this server needs to be updated.  I will again alert the DHL team.   It shows that AIA woudl have been good to use in this case as it would have pulled the correct 'updated' intermedaite certificate from http://keyserver.dhl.com/pki/i3/dpdhl_tls_i3.crt

Comment 15

3 years ago
This problem/error also occurs when the site is using a certificate encrypted with AES_128_GCM and ECDHE_RSA.

Comment 16

3 years ago
(In reply to Martin Winstrand from comment #15)
> This problem/error also occurs when the site is using a certificate
> encrypted with AES_128_GCM and ECDHE_RSA.

For those how need to see the certificate (in 64-bit text fromat):
-----BEGIN CERTIFICATE-----
MIIG5TCCBM2gAwIBAgIBBjANBgkqhkiG9w0BAQ0FADB6MQswCQYDVQQGEwJTRTES
MBAGA1UECBMJU1RPQ0tIT0xNMR4wHAYDVQQKExVXaW5zdHJhbmQgRGV2ZWxvcG1l
bnQxFTATBgNVBAMTDFdpbnN0cmFuZCBDQTEgMB4GCSqGSIb3DQEJARYRcGtpQHdp
bnN0cmFuZC5iaXowHhcNMTUwMzE2MDgxODQ1WhcNMTYwNDE5MDgxODQ1WjB1MQsw
CQYDVQQGEwJTRTESMBAGA1UECBMJU1RPQ0tIT0xNMR4wHAYDVQQKExVXaW5zdHJh
bmQgRGV2ZWxvcG1lbnQxEDAOBgNVBAMTB3d3dy5kZXYxIDAeBgkqhkiG9w0BCQEW
EXBraUB3aW5zdHJhbmQuYml6MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEA5Pb9fD057h00SKuL74BnAlTJiH5F7lMFEytT1hFWUMvx55QbMJTX3VkHJiYn
yAk+xAAImacXEUspB9r5zPGmsoJ/mAF5cCk6YeiNzFx+uvlH7DkYmufydPhhgGjS
sSLrsQhXxp0wcggy6Z9NpqP+duSf+oj3fF09C8dnxx3cWYz94Kt1B5I1mXa9tcZI
rYEGnYqBn2M2IfIi1AqY4twimFNSOxfUSzhcVGDjWVjdAExrTBFjDDsYrKH+f5uD
OfzzMQL519ysj8MVaEf5wx7mxiV+jwNfaR37TuGqK/nBIEtzpXHzcE8FOLyrNPiF
iE1cbrAR6zlYKbsVafVGT/YY3pItyGAJtfrDGOFkGBGlxFxFJmIX03cBmfdrj4eo
QZqkCpcsSih4kxwYrIphUwJRoMXyEazFrrK6OiTbV7gokaFtwiPxQ2EVm4iDkjin
kP4rklYq7QGVyTbcGgc+mHinhn7thF8fJCmRdCp05ws4E8HnE+DbYiszDOYHpAAp
weh1MozmBVAqDNvFpFYwsyp1ha1NfOhThwfUuR5G3x1Ob12kdMJ7zwiSibpmMa1h
xjABo/SQWTpFkjXm+ciOIi6qv1N5AskB1mHieb/8YASy9tmgszxHB1AFw1d1B5+G
4aCwr0AYXuEi6hfmM6m2IHkrFyF+j4xLl9WKwgysH4pQ9YcCAwEAAaOCAXkwggF1
MB0GA1UdDgQWBBRUr/2bRsppShc9HGEAW0kinw425zCBrAYDVR0jBIGkMIGhgBSi
G0bkMP/KYr9N4boHiRZ02fi+M6F+pHwwejELMAkGA1UEBhMCU0UxEjAQBgNVBAgT
CVNUT0NLSE9MTTEeMBwGA1UEChMVV2luc3RyYW5kIERldmVsb3BtZW50MRUwEwYD
VQQDEwxXaW5zdHJhbmQgQ0ExIDAeBgkqhkiG9w0BCQEWEXBraUB3aW5zdHJhbmQu
Yml6ggkAiVWqvawA5WowCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0lBBYw
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMG4GA1UdEQRnMGWCBSouZGV2ggp3ZXdpZXcu
ZGV2gg53ZXdpZXdjYWtlLmRldoIQcGhwdGltZWZvY3VzLmRldoIUcGhwdGltZWZv
Y3VzY2FrZS5kZXaCD2luZnJhcG9ydGFsLmRldoIHd3d3LmRldjANBgkqhkiG9w0B
AQ0FAAOCAgEABq8pQ/LNDb7XYwadWWtkmZEZyyMxo8iP7UIcH34mjK5if4MqekrU
LwQnhvKKz54Pv/7VvLAhHWJybZHF5F4MkQs8h0tVpYGxQfTfyoM+IU1rfQ92fTfj
njOn0bwDf1IHqHm+F9RcmkiU8M7gRPNt4Y5Da73T6BL73U62YgBNKYvj9/6oWvYH
qsSecdY10TJMEfLgAKIZnFG++f0Fe+Ff/EkafR1kbx7E0y+iiCqV0d8dhS0uMOgv
hCS6ZKrq2RPWowRiLaZdHbczjfjdSSU4guI2/KP7p/qWfo4vlJKj9jUWEg/ZPjf3
8xBau7mJr1LmlkeGbhh9ZyQJe0OQRNPqCaCmZyfn041eg2U09IsBFvPkk9ygyoEj
Ps+xwYQSLnrIPlOCLCYYZsNRqgLdWJhJxDEMfQqVV1Aq8cGHC1uI4fasx/lxQn06
48/5OrsxiUsFgOfXKh07tyi3c/A+wRTZKc31dmPfAoD5zmztgIVdUtjZlJwz6vHM
/BOWQ9Wcgguc+nuNigX376pX6tp6PcW+cs4JfwfYBTs/HE0SB+9FuT4XzSmk3l+z
5fjf47rG/QdQFTeFdeaT7q1qmRJuT1JbOUpPsQWLQomZoKR4zcuT9HgLOvV3Mzzt
lJwLIOarfV6M8IqLL9pvd0Qag7RjhcZ2jlERT1qKtADmklYJ/OlPG7I=
-----END CERTIFICATE-----

Comment 17

3 years ago
Fixed:
  https://amsel.dpwn.net
  https://www.deutschepost.de

Still broken:
  https://nolp.dhl.de
OS: Linux → All
Hardware: x86_64 → All
Summary: amsel.dpwn.net sends an intermediate certificate with an invalid name constraints extension → nolp.dhl.de sends an intermediate certificate with an invalid name constraints extension

Updated

3 years ago
Duplicate of this bug: 1175423

Comment 19

3 years ago
Still broken:
  https://nolp.dhl.de

A problem with the certificates: try to get it here:

http://keyserver.deutschepost.de/certificates

Just take the certificates from 3. Generation. There's some options you can mark. After that the site should works fine.

Comment 20

3 years ago
Still broken:
https://mein.1und1.de/
https://account.1und1.de/
(Assignee)

Comment 21

3 years ago
(In reply to Jörg Reimer from comment #20)
> Still broken:
> https://mein.1und1.de/
> https://account.1und1.de/

Hi Jörg.  These we sites are not within the portfolio of DHL (Deutsche Post) so I think you need to solve elsewhere if you have issues.

Regards Steve

Comment 22

3 years ago
Looks like https://nolp.dhl.de is fixed now.

If there are still issues with other sites, please file separate bugs for them - separate bugs are easier to track.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.