Closed Bug 1120005 Opened 9 years ago Closed 8 years ago

Secure Connection Failed error while accessing self signed QA server

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
34 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: amunnamg, Unassigned)

Details

Attachments

(1 file)

base64.cer
778 bytes, application/x-x509-ca-cert
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Steps to reproduce:

Thank you David. Here is the information requested.
C:>openssl s_client -connect tenantsvr2.vmwaredomain.local:8443 -showcerts
connect: Bad file number
connect:errno=9


 I am fairly able to by pass this security exception and navigate to website in chrome. However in firefox, it is not the case. 

Issue: Secure Connection Failed error.
Version: 34.0.5
OS: Windows XP

 We use firefox browser for developing javascript rich applications and it helps alot to debug and identify javascript issues. Offlate following security exception is coming while accessing our QA server. Can you please suggest how to go ahead and add an exception to navigate to this site. This is blocking our development using Firefox.

Thanks





Actual results:

Secure Connection Failed

An error occurred during a connection to tenantsvr2.vmwaredomain.local. Certificate contains unknown critical extension. (Error code: sec_error_unknown_critical_extension)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.


Expected results:

should show login page of our website.
Hi Vani, I was assuming you were working in linux - I don't know what the equivalent command is in openssl, which is probably why that didn't work as expected. Basically, if you could post a copy of the public part of the chain of certificates the server sends in the TLS handshake, that will help us figure out what's going on here.
(In reply to David Keeler [:keeler] (use needinfo?) from comment #1)
> I don't know what the equivalent command is in openssl

(and by openssl I mean windows)
Hi David,
Here is the certificate information given from chrome. After clicking on broken lock, it gives a small popup with following info.

The identity of this website has not been verified.
server's certificate is not trusted.
servers ceriticate is signed using a weak signature algorithm.

Your connection to tenantsvr1.vmwaredomain.local is encrypted with 128-bit encryption.

The connection uses TLS1.0.
The connection is encrypted using RC4_128, with MD5 for message authentication and RSA as the key exchange mechanism.
The server does not support renegotiation extension.
In firefox version 29, this gives Untrusted security exception page. once confirmed, able to navigate to website. However, 34, it does not give option to bypass.
If you click on the broken lock in Chrome, if you go to the "Connection" tab, is there a "Certificate Information" link? If so, please click on that, go to the "Details" tab, click "export", select "Base64-encoded ASCII, certificate chain" in the drop-down menu, save that data somewhere, and then attach it to this bug. That way, we'll be able to examine the public certificates the server is sending to see what might be causing this. Thanks!
Attached file base64.cer 
certificateInformation exported from chrome.
C:\Work>openssl x509 -in base64.cer -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1001 (0x3e9)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, OU=IT, CN=Callidus Software
        Validity
            Not Before: Dec  8 23:51:14 2008 GMT
            Not After : Mar  8 23:51:14 2017 GMT
        Subject: C=US, OU=IT, CN=TENANTSVR1.vmwaredomain.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c9:54:7f:a9:20:7b:e8:dc:f3:60:c1:dd:3f:58:
                    dd:db:14:9c:b0:5e:d4:19:40:14:16:d1:dd:2b:00:
                    b0:a1:3c:05:74:40:55:98:38:b2:18:09:2e:f2:8e:
                    8b:dd:c7:ce:92:47:3f:dd:9b:ef:4f:d5:22:6b:53:
                    a0:a6:8b:8e:ff:f3:cd:65:b1:05:fe:39:03:58:8e:
                    52:25:32:7b:8c:34:bd:4c:7a:8a:3e:18:ca:39:94:
                    4d:99:74:2a:4f:bb:29:9b:7d:48:e4:cb:33:96:b9:
                    8e:6a:66:d4:d7:7d:97:ff:4a:1c:1f:a3:43:40:36:
                    42:74:36:96:a7:7d:7e:85:5d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: critical
                SSL Server
    Signature Algorithm: md5WithRSAEncryption
        c6:e9:00:31:a9:9e:2e:75:05:f4:96:ba:48:be:e5:a7:d6:e6:
        3e:89:38:88:0f:5d:f3:9d:26:da:90:b7:0a:9f:75:f2:fc:b2:
        8f:8d:37:9a:a8:1e:51:be:a5:65:85:4d:bf:ee:92:c8:d9:ac:
        54:db:ab:14:40:fc:b5:13:75:b1:e3:c3:d3:8d:ce:37:a5:4d:
        4d:af:8c:77:84:36:62:2f:76:be:fc:04:3e:37:01:32:10:bb:
        4a:bd:9f:9c:d9:ca:ce:88:ac:8a:67:39:53:69:1d:0a:2c:de:
        74:cf:ff:19:20:31:5f:0e:be:38:0d:2e:da:97:3b:fd:ce:d6:
        1f:7d
Looks like that certificate only has the 'Netscape Cert Type' extension (marked critical). It should be re-generated without it. The standardized extensions that provide the same functionality are 'key usage' and 'extended key usage'. See http://tools.ietf.org/html/rfc5280
What software was used to generate the certificate? Perhaps we should reach out to the vendor.
David,
Doesn't Firefox version 34 allow Netscape Cert Type: critical? 
This Selfsigned certificate is generated long ago on linux servers. I am not sure of software used. Is this the only work around to re generate certificate? I wish there is a way to bypass validation of certificates like in version 29 of firefox and other browsers(chrome).
(In reply to Vani from comment #9)
> David,
> Doesn't Firefox version 34 allow Netscape Cert Type: critical? 
> This Selfsigned certificate is generated long ago on linux servers. I am not
> sure of software used. Is this the only work around to re generate
> certificate? I wish there is a way to bypass validation of certificates like
> in version 29 of firefox and other browsers(chrome).

See https://hg.mozilla.org/mozilla-central/file/49651d30167a/security/pkix/lib/pkixcert.cpp#l152 for the exact policy at the moment.

In particular: "Thus, for compatibility reasons, we "understand" this extension by ignoring it when it is not critical, and by ensuring that the equivalent standardized extensions are present when it is marked critical".
Thanks for filing the bug.

I'm going to jump the gun a little here and resolve this as WONTFIX since:
 - Comment 8 and comment 10 list workarounds
 - This doesn't seem like a widespread issue
 - We would prefer not to support proprietary Netscape cert extensions at all
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: