Closed Bug 1157668 Opened 9 years ago Closed 9 years ago

sec_error_bad_der due to empty SAN

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
37 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1143085

People

(Reporter: vladimirtt, Unassigned)

Details

Attachments

(2 files)

sec_error_bad_der.png
150.59 KB, image/png
Details
empty_san.png
53.95 KB, image/png
Details
Attached image sec_error_bad_der.png 
User Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:12.0) Gecko/20100101 Firefox/12.0
Build ID: 20131015173630

Steps to reproduce:

I have tried to access over HTTPS an intranet site (a company internal one).


Actual results:

I've got the following error:

Secure Connection Failed

An error occurred during a connection to login.prod.partygaming.local. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der) 


Expected results:

The site should load successfully.

It is loaded successfully when accessed with Fire Fox 30, Chrome 42 and Internet Explorer 11.
The issue is confirmed to happen with Firefox 37.0.2 on Mac OS X and Windows 7.
Severity: normal → major
OS: Unspecified → Windows 7
Hardware: Unspecified → All
This might be a duplicate of Bug 1148766... Can you check your certs (e.g. using openssl like in Bug 1148766 comment 22) to see if they contain Subject Alternative Name entries IPs specified as DNS entries?
Flags: needinfo?(vladimirtt)
Attached image empty_san.png 
Flags: needinfo?(vladimirtt)

    
    

    
  
I would not say this is a duplicate of Bug 1148766, but it might be related (Bug 1148766 concerns Firefox 37, but i have faced the issue on Firefox 36 as well).

The end-entity certificate has a SAN extension, but it is empty (for some reason our internal CA generates certificates this way, but it has never been an problem so far with Firefox or any other browser).

OpenSSL shows:

     X509v3 Subject Alternative Name: 
         <EMPTY>


Please check the attached screen-shot (empty_san.png) about how Chrome on Mac OS X shows it.

    
    

    
  
Ah, in this case this is probably Bug 1143085. Could you try on Firefox 38 or above?
Flags: needinfo?(vladimirtt)

    
    

    
  
Both bugs seem the same. Let me try FF 38 and i'll provide a confirmation.
Flags: needinfo?(vladimirtt)

    
    

    
  
I have tried with Firefox 38.0b6 and it works as before Firefox 36, e.g. the issue does not happen with Firefox 38.

You can mark this bug as a duplicate of Bug 1143085.

When is the expected release date of Firefox 38 ?

    
    

    
  
(In reply to vladimirtt from comment #7)
> I have tried with Firefox 38.0b6 and it works as before Firefox 36, e.g. the
> issue does not happen with Firefox 38.
> 
> You can mark this bug as a duplicate of Bug 1143085.

Thanks for testing.

> When is the expected release date of Firefox 38 ?

Currently scheduled for release the week of 2015-05-12: https://wiki.mozilla.org/RapidRelease/Calendar
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Component: Untriaged → Security: PSM
Product: Firefox → Core
Resolution: --- → DUPLICATE
Summary: Secure Connection Failed  -- security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der) → sec_error_bad_der due to empty SAN

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: