Closed Bug 1114815 Opened 10 years ago Closed 10 years ago

nolp.dhl.de sends an intermediate certificate with an invalid name constraints extension

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: h.figge, Assigned: steve.roylance)

References

(
URL
)

Details

(Keywords: regression)

Trying to contact https://amsel.dpwn.net/ with my Trunk-SM Linux x86_64 i get Secure Connection Failed An error occurred during a connection to amsel.dpwn.net. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der) Regression range is Last good: 2014-12-09 17:42:00 PST c-c:88bde0fc609a m-c:d7c76fe69e9a First bad: 2014-12-10 16:09:00 PST c-c:2e3eb4f336d0 m-c:0cf461e62ce5 The bug was confirmed by a user with FF on Windows NT 6.1.
I can confirm that for the actual Firefox-trunk on Windows.
There was a change to the error message in the range 2014-12-20 17:22:00 PST c-c:7bc453bb4cdd m-c:7b33ee7fd162 2014-12-22 05:39:00 PST c-c:8d3f8239c7b7 m-c:c357fb08cc10 The above mentioned message occurs with builds >= this range, for builds <= this range the message is Secure Connection Failed An error occurred during a connection to amsel.dpwn.net. The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space)
The intermediate certificate with subject 'C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS CA I3', issuer 'C=BE, OU=Trusted Root, O=GlobalSign nv-sa, CN=Trusted Root CA G2', and serial number '40:cd:73:67:81:99:e2:07:f0:a5:0b:54:63:27:b7:35:ed' has a name constraints extension containing (among many others) dNSName 'leserservice-media.de ' and dNSName 'leserservice-sicherheitsabo.de ' (note the trailing space on both of those). These are not valid DNS names, and so the entire extension is considered invalid.
Kathleen, do you know who we can reach out to to fix this intermediate? (see comment 3)
Flags: needinfo?(kwilson)
Steve, Please see Comment #3.
Assignee: nobody → steve.roylance
Flags: needinfo?(kwilson)
I will reach out to my colleagues at DHL and ask them to correct the intermediate certificate in the chain. The one sent by the web server has been replaced to remove the spaces but it seems this web server did not have that one updated. The latest CA was created in September 2014 and has serial number ‎2c 05 48 16 6d 0c 59 96 07 f9 2b fc 55 ff 88 aa 43 Thanks for pointing this out.
This still appears to be an issue.
URL: https://amsel.dpwn.net/
Component: Security → Desktop
Product: Core → Tech Evangelism
Summary: Trunk: Secure Connection Failed → amsel.dpwn.net sends an intermediate certificate with an invalid name constraints extension
Agreed. It should have been corrected so I'll ask the team again to fix. https://www.ssllabs.com/ssltest/analyze.html?d=amsel.dpwn.net&hideResults=on shows the fingerprint of the issuing CA as 0fcc78fbbca9f32b08b19b032b84f2c86a128f35 i.e. serial number 40cd73678199e207f0a50b546327b735ed https://www.ssllabs.com/ssltest/analyze.html?d=partnerportal-deutschepost.de&hideResults=on shows the fingerprint of 57c6cbc9f3b628e0fd5ab4371d9b16440e1bd391 i.e. serial number ‎2078f77a210adcad57ae9bb5bafb41baf1 which is the corrected version of the CA.
Trying this URL of the mail tracking system of German Post... https://www.deutschepost.de/sendung/simpleQuery.html ...I still get sec_error_bad_der Which means that mail tracking of registered letters, parcels etc. is not available to all up-to-date Firefox users. Is it this bug? Whom can I contact to push them into fixing this? > Fehler: Gesicherte Verbindung fehlgeschlagen > > Ein Fehler ist während einer Verbindung mit www.deutschepost.de aufgetreten. Sicherheitsbibliothek: > Fehlerhaft formatierte DER-verschlüsselte Nachricht. (Fehlercode: sec_error_bad_der) > > Die Website kann nicht angezeigt werden, da die Authentizität der erhaltenen Daten nicht verifiziert > werden konnte. > Kontaktieren Sie bitte den Inhaber der Website, um ihn über dieses Problem zu informieren.
Steve, would you be able to help with comment 10?
Flags: needinfo?(steve.roylance)
(In reply to Thomas D. from comment #10) > Trying this URL of the mail tracking system of German Post... > > https://www.deutschepost.de/sendung/simpleQuery.html > > ...I still get sec_error_bad_der > > Which means that mail tracking of registered letters, parcels etc. is not > available to all up-to-date Firefox users. Is it this bug? Whom can I > contact to push them into fixing this? > > > Fehler: Gesicherte Verbindung fehlgeschlagen > > > > Ein Fehler ist während einer Verbindung mit www.deutschepost.de aufgetreten. Sicherheitsbibliothek: > > Fehlerhaft formatierte DER-verschlüsselte Nachricht. (Fehlercode: sec_error_bad_der) > > > > Die Website kann nicht angezeigt werden, da die Authentizität der erhaltenen Daten nicht verifiziert > > werden konnte. > > Kontaktieren Sie bitte den Inhaber der Website, um ihn über dieses Problem zu informieren. I'm trying to push some other people in the team to resolve this. Note that Firefox 36 is OK. It's 37 that is more particular on these areas.
Flags: needinfo?(steve.roylance)
We have exactly the same problem now with Firefox 37.0.1, like Steve Roylance reported, but with an other URL: https://nolp.dhl.de/nextt-online-public/set_identcodes.do But not with all Firefox installations. On my Notebook with Windows 8.1 it works. The problem appears only on our terminal server under Windows 2008 R2. Please fix this problem or give me an info how to solve this.
(In reply to Netsroht from comment #13) > We have exactly the same problem now with Firefox 37.0.1, like Steve > Roylance reported, but with an other URL: > > https://nolp.dhl.de/nextt-online-public/set_identcodes.do > > But not with all Firefox installations. On my Notebook with Windows 8.1 it > works. The problem appears only on our terminal server under Windows 2008 > R2. > > Please fix this problem or give me an info how to solve this. This seems to be the 'space' in the name constraints issue that I referred to earlier. The issuing CA in the chain sent by this server needs to be updated. I will again alert the DHL team. It shows that AIA woudl have been good to use in this case as it would have pulled the correct 'updated' intermedaite certificate from http://keyserver.dhl.com/pki/i3/dpdhl_tls_i3.crt
This problem/error also occurs when the site is using a certificate encrypted with AES_128_GCM and ECDHE_RSA.
(In reply to Martin Winstrand from comment #15) > This problem/error also occurs when the site is using a certificate > encrypted with AES_128_GCM and ECDHE_RSA. For those how need to see the certificate (in 64-bit text fromat): -----BEGIN CERTIFICATE----- MIIG5TCCBM2gAwIBAgIBBjANBgkqhkiG9w0BAQ0FADB6MQswCQYDVQQGEwJTRTES MBAGA1UECBMJU1RPQ0tIT0xNMR4wHAYDVQQKExVXaW5zdHJhbmQgRGV2ZWxvcG1l bnQxFTATBgNVBAMTDFdpbnN0cmFuZCBDQTEgMB4GCSqGSIb3DQEJARYRcGtpQHdp bnN0cmFuZC5iaXowHhcNMTUwMzE2MDgxODQ1WhcNMTYwNDE5MDgxODQ1WjB1MQsw CQYDVQQGEwJTRTESMBAGA1UECBMJU1RPQ0tIT0xNMR4wHAYDVQQKExVXaW5zdHJh bmQgRGV2ZWxvcG1lbnQxEDAOBgNVBAMTB3d3dy5kZXYxIDAeBgkqhkiG9w0BCQEW EXBraUB3aW5zdHJhbmQuYml6MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC AgEA5Pb9fD057h00SKuL74BnAlTJiH5F7lMFEytT1hFWUMvx55QbMJTX3VkHJiYn yAk+xAAImacXEUspB9r5zPGmsoJ/mAF5cCk6YeiNzFx+uvlH7DkYmufydPhhgGjS sSLrsQhXxp0wcggy6Z9NpqP+duSf+oj3fF09C8dnxx3cWYz94Kt1B5I1mXa9tcZI rYEGnYqBn2M2IfIi1AqY4twimFNSOxfUSzhcVGDjWVjdAExrTBFjDDsYrKH+f5uD OfzzMQL519ysj8MVaEf5wx7mxiV+jwNfaR37TuGqK/nBIEtzpXHzcE8FOLyrNPiF iE1cbrAR6zlYKbsVafVGT/YY3pItyGAJtfrDGOFkGBGlxFxFJmIX03cBmfdrj4eo QZqkCpcsSih4kxwYrIphUwJRoMXyEazFrrK6OiTbV7gokaFtwiPxQ2EVm4iDkjin kP4rklYq7QGVyTbcGgc+mHinhn7thF8fJCmRdCp05ws4E8HnE+DbYiszDOYHpAAp weh1MozmBVAqDNvFpFYwsyp1ha1NfOhThwfUuR5G3x1Ob12kdMJ7zwiSibpmMa1h xjABo/SQWTpFkjXm+ciOIi6qv1N5AskB1mHieb/8YASy9tmgszxHB1AFw1d1B5+G 4aCwr0AYXuEi6hfmM6m2IHkrFyF+j4xLl9WKwgysH4pQ9YcCAwEAAaOCAXkwggF1 MB0GA1UdDgQWBBRUr/2bRsppShc9HGEAW0kinw425zCBrAYDVR0jBIGkMIGhgBSi G0bkMP/KYr9N4boHiRZ02fi+M6F+pHwwejELMAkGA1UEBhMCU0UxEjAQBgNVBAgT CVNUT0NLSE9MTTEeMBwGA1UEChMVV2luc3RyYW5kIERldmVsb3BtZW50MRUwEwYD VQQDEwxXaW5zdHJhbmQgQ0ExIDAeBgkqhkiG9w0BCQEWEXBraUB3aW5zdHJhbmQu Yml6ggkAiVWqvawA5WowCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0lBBYw FAYIKwYBBQUHAwIGCCsGAQUFBwMBMG4GA1UdEQRnMGWCBSouZGV2ggp3ZXdpZXcu ZGV2gg53ZXdpZXdjYWtlLmRldoIQcGhwdGltZWZvY3VzLmRldoIUcGhwdGltZWZv Y3VzY2FrZS5kZXaCD2luZnJhcG9ydGFsLmRldoIHd3d3LmRldjANBgkqhkiG9w0B AQ0FAAOCAgEABq8pQ/LNDb7XYwadWWtkmZEZyyMxo8iP7UIcH34mjK5if4MqekrU LwQnhvKKz54Pv/7VvLAhHWJybZHF5F4MkQs8h0tVpYGxQfTfyoM+IU1rfQ92fTfj njOn0bwDf1IHqHm+F9RcmkiU8M7gRPNt4Y5Da73T6BL73U62YgBNKYvj9/6oWvYH qsSecdY10TJMEfLgAKIZnFG++f0Fe+Ff/EkafR1kbx7E0y+iiCqV0d8dhS0uMOgv hCS6ZKrq2RPWowRiLaZdHbczjfjdSSU4guI2/KP7p/qWfo4vlJKj9jUWEg/ZPjf3 8xBau7mJr1LmlkeGbhh9ZyQJe0OQRNPqCaCmZyfn041eg2U09IsBFvPkk9ygyoEj Ps+xwYQSLnrIPlOCLCYYZsNRqgLdWJhJxDEMfQqVV1Aq8cGHC1uI4fasx/lxQn06 48/5OrsxiUsFgOfXKh07tyi3c/A+wRTZKc31dmPfAoD5zmztgIVdUtjZlJwz6vHM /BOWQ9Wcgguc+nuNigX376pX6tp6PcW+cs4JfwfYBTs/HE0SB+9FuT4XzSmk3l+z 5fjf47rG/QdQFTeFdeaT7q1qmRJuT1JbOUpPsQWLQomZoKR4zcuT9HgLOvV3Mzzt lJwLIOarfV6M8IqLL9pvd0Qag7RjhcZ2jlERT1qKtADmklYJ/OlPG7I= -----END CERTIFICATE-----
Fixed: https://amsel.dpwn.net https://www.deutschepost.de Still broken: https://nolp.dhl.de
URL: https://amsel.dpwn.net/https://nolp.dhl.de
OS: Linux → All
Hardware: x86_64 → All
Summary: amsel.dpwn.net sends an intermediate certificate with an invalid name constraints extension → nolp.dhl.de sends an intermediate certificate with an invalid name constraints extension
Still broken: https://nolp.dhl.de A problem with the certificates: try to get it here: http://keyserver.deutschepost.de/certificates Just take the certificates from 3. Generation. There's some options you can mark. After that the site should works fine.
(In reply to Jörg Reimer from comment #20) > Still broken: > https://mein.1und1.de/ > https://account.1und1.de/ Hi Jörg. These we sites are not within the portfolio of DHL (Deutsche Post) so I think you need to solve elsewhere if you have issues. Regards Steve
Looks like https://nolp.dhl.de is fixed now. If there are still issues with other sites, please file separate bugs for them - separate bugs are easier to track.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.