Closed
Bug 1140332
Opened 10 years ago
Closed 9 years ago
24→31→38 ESR FireFox certificate viewer certificate limitations are overriden by CA trust settings
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: Ikonta, Unassigned)
References
Details
Attachments
(4 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
Build ID: 20150209101842
Steps to reproduce:
1. Import test Certification Authority certificate (ca.crt from attach);
2. Import test Client certificate (client1.pfx from attach, pin code — 0000);
3. View Client certificate properties;
Actual results:
4. The certificate is displayed as "SSL Server Certificate" (see View_Cert_main.png from attach)
Expected results:
But this sertificate was generated as client-only (see View_Cert_ext.png from attach),
openssl.cnf:
…
nsCertType = client
And in this way (as "SSL Client Certificate") it was displayed by previous ESR (FireFox-17).
Summary: 24 and 31 ESR FireFoz certificate viewer shows Client certificate as Server → 24 and 31 ESR FireFox certificate viewer shows Client certificate as Server
![]() |
||
Updated•10 years ago
|
Component: Untriaged → Security: PSM
Product: Firefox → Core
In 38 ESR (particularly, now 38.2.1) for newly (i.e. using FireFox 38 ESR) imported certificates behaviour changed.
Instead of Server Certificate viewer shows "Verification failed" error.
See bug #1202636 for details.
See Also: → 1202636
Following bug #1202636 I've find some more related details:
Described issue is seen at the time, when CA is trusted to identify web-servers.
If CA is trusted for all three (!) tasks (= email users and software developers) in certificate viewer I see five (!!!) identities, including client identity.
So, FF seems to override certificate limitations by CA trust settings.
To my mind it will be right to do the following:
1. Extend CA identities list with client identity;
2. Remove email dup from certificate viewer;
3. Improve import dialog with checking certificate's chain validity for client certs, blocking import when CA is not trusted to verify client certs.
Summary: 24 and 31 ESR FireFox certificate viewer shows Client certificate as Server → 24→31→38 ESR FireFox certificate viewer certificate limitations are overriden by CA trust settings
![]() |
||
Comment 6•9 years ago
|
||
mozilla::pkix does not support the nsCertType extension. If it's marked critical, the certificate will be rejected. If it's not marked critical, it will be ignored. Either way, this won't work as you're intending it to. The extendedKeyUsage extension is the standardized extension to use for this purpose.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•