Name Constrained SSL Certificates with additional EKU Constraints incorrectly reported as "Not Trusted"

RESOLVED INCOMPLETE

Status

()

Core
Security: PSM
RESOLVED INCOMPLETE
3 years ago
2 years ago

People

(Reporter: Steve Roylance, Unassigned, NeedInfo)

Tracking

38 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8621468 [details]
Name Constraints issue with Firefox.pdf

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150525141253

Steps to reproduce:

The issue affects both Firefox and Thuderbird, so I'll riase two bugs and cross link them.  If you view a Name and EKU constrained certificate with the certificate viewer then it reports the certificate as not being trusted.  The attached PDF shows in detail the process and error messages.   As far as Firefox is concerned I ave checked three different CA's and all three fail in the same way.


Actual results:

The reported error is "Could not verify this certificate because it is not trusted"

I have found the same issue also happens in FF 30 (Prior to the new pkix:)

Normal day to day use does not reveal this issue.


Expected results:

The certificate is trusted when viewed from within the session.  It's only when the certificate is imported does it present the issue.  Whilst this happens rarely with SSL it's essential for SMIME for encryption purposes in Thunderbird.   The example in this bug is for SSL
Component: Untriaged → Security: PSM
Product: Firefox → Core
(Reporter)

Comment 1

3 years ago
I also raised a Thunderbird bug for the same issue as it's not exactly the same but similar.
https://bugzilla.mozilla.org/show_bug.cgi?id=1174118 Maybe that should be core too.

Thanks and good luck trying to identify.

FYI here's a tool to be able to create Name and EKU constrained CA's.  The test roots are downloadable from the page as is the test subordinate issuing CA (No OCSP as it's only a long term CRL).  Simply create a name and EKU constrained CA by added those names and EKUs via the menu and use any CSR to create the CA.

109.228.18.69/trusted/ 

Let me know any issues.
Is this still an issue?
Flags: needinfo?(steve.roylance)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.