Closed Bug 1166514 Opened 10 years ago Closed 10 years ago

cryptic site certificate error message when cert has SAN dNSName entries incorrectly containing IP addresses

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
38 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1148766

People

(Reporter: akostadinov, Unassigned)

Details

Attachments

(1 file)

server certificates triggering the error
4.12 KB, text/plain
Details
Trying to open site with a self signed certificate. I've got an error: > security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der) This speaks very little. I have no idea what's wrong with my certificate. It would be much more helpful if firefox could tell what things it cannot parse. I'm attaching the server certificates so hopefully somebody can tell me what's wrong with them. Also, no matter if some fields cannot be parsed I think firefox should allow connecting the site anyway just like it is done with expired or other invalid certificates.
I think I found the issue. It is using IP addresses in DNS entries - bug 1148766 So the issue I see is that since maybe firefox 33, new versions are very often introducing breaking changes in the certificate and crypto related features without easy to understand error messages and often without workarounds. Yes, having things correct in the server side is important and I'm all for showing the user some error message, warning about insecurities and so on. But outright being unable to do your job done is a great issue. I appreciate mozilla development model and until recently I didn't even have chrome installed on my personal workstation. But with so many breakages I'm often forced to go to another browser. Please accept this as feedback from a loyal user. I often don't have the power to change provider's implementation. And when I have that power, I still need to get my job done in the first place. I don't want and don't like to resort to other browsers when firefox is working so awesome for me, and I don't want to need to recommend using another browser for particular tasks as most people don't care about other values than having things work. My proposal is to try giving warnings for incorrect things but allow advanced users to continue unless the issue is really unrecoverable. I see the way of thought that very little sites do this or that. But if I really need to perform something, then it doesn't help me that 1000 other sites don't have such issue.
Hi Alexander, Thanks for filing the bug. Post Bug 1170303, this specific issue will at least be overridable. As you mentioned, Bug 1148766 is the root cause of your issue. The patch attached there will change the verification logic to simply ignore IPv4 dNSName entries, so it doesn't look like a more specific error will be needed after that.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Summary: cryptic site certificate error message → cryptic site certificate error message when cert has SAN dNSName entries incorrectly containing IP addresses
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: