Closed Bug 1140332 Opened 10 years ago Closed 9 years ago

24→31→38 ESR FireFox certificate viewer certificate limitations are overriden by CA trust settings

Categories

(Core :: Security: PSM, defect)

31 Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: Ikonta, Unassigned)

References

Details

Attachments

(4 files)

Attached image View_Cert_main.png
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Build ID: 20150209101842 Steps to reproduce: 1. Import test Certification Authority certificate (ca.crt from attach); 2. Import test Client certificate (client1.pfx from attach, pin code — 0000); 3. View Client certificate properties; Actual results: 4. The certificate is displayed as "SSL Server Certificate" (see View_Cert_main.png from attach) Expected results: But this sertificate was generated as client-only (see View_Cert_ext.png from attach), openssl.cnf: … nsCertType = client And in this way (as "SSL Client Certificate") it was displayed by previous ESR (FireFox-17).
Attached image View_Cert_ext.png
Attached file ca.crt
Attached file client1.pfx
Summary: 24 and 31 ESR FireFoz certificate viewer shows Client certificate as Server → 24 and 31 ESR FireFox certificate viewer shows Client certificate as Server
Component: Untriaged → Security: PSM
Product: Firefox → Core
In 38 ESR (particularly, now 38.2.1) for newly (i.e. using FireFox 38 ESR) imported certificates behaviour changed. Instead of Server Certificate viewer shows "Verification failed" error. See bug #1202636 for details.
See Also: → 1202636
Following bug #1202636 I've find some more related details: Described issue is seen at the time, when CA is trusted to identify web-servers. If CA is trusted for all three (!) tasks (= email users and software developers) in certificate viewer I see five (!!!) identities, including client identity. So, FF seems to override certificate limitations by CA trust settings. To my mind it will be right to do the following: 1. Extend CA identities list with client identity; 2. Remove email dup from certificate viewer; 3. Improve import dialog with checking certificate's chain validity for client certs, blocking import when CA is not trusted to verify client certs.
Summary: 24 and 31 ESR FireFox certificate viewer shows Client certificate as Server → 24→31→38 ESR FireFox certificate viewer certificate limitations are overriden by CA trust settings
mozilla::pkix does not support the nsCertType extension. If it's marked critical, the certificate will be rejected. If it's not marked critical, it will be ignored. Either way, this won't work as you're intending it to. The extendedKeyUsage extension is the standardized extension to use for this purpose.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: