Can't load https://crash-stats.mozilla.com/ (SEC_ERROR_BAD_DER) due to Palo Alto firewall

RESOLVED INCOMPLETE
(Needinfo from 2 people)

Status

()

Core
Security: PSM
RESOLVED INCOMPLETE
2 years ago
2 years ago

People

(Reporter: alex_mayorga, Unassigned, NeedInfo)

Tracking

48 Branch
Points:
---

Firefox Tracking Flags

(firefox48 affected)

Details

(Reporter)

Description

2 years ago
¡Hola!

This network uses a Palo Alto thing to MIM all certificates and I can't get to https://crash-stats.mozilla.com/ on Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 ID:20160315030230 CSet: 5e14887312d4523ab59c3f6c6c94a679cf42b496

Developer Edition gives SEC_ERROR_UNKNOWN_ISSUER and let's me store the exception and go on my merry way.

¡Gracias!
Alex
It looks like the encoding of the public key from the certificate (emailed privately) is incorrect. It should be a sequence of two positive integers, but the first bit of the encoding of the first integer is set, indicating that it is negative. Basically, whatever created that certificate did so incorrectly. I believe the change that enforces this in mozilla::pkix is here: https://hg.mozilla.org/mozilla-central/diff/3fe8d7d7f9f7/security/pkix/lib/pkixcheck.cpp#l1.177 . Since this landed in 38, I'm not sure why there would be a difference between 47 and 48 as you mentioned on IRC.

Unfortunately, I can't think of a workaround that would be effective other than running your own MITM proxy and chaining the two of them together.

Updated

2 years ago
See Also: → bug 1257031

Comment 2

2 years ago
(Updating summary to make it clear the error is due to a Palo Alto thing. I don't have evidence that says it really is a firewall, but according to the Palo Alto website, that's what they sell...)
Summary: Can't load https://crash-stats.mozilla.com/due to SEC_ERROR_BAD_DER → Can't load https://crash-stats.mozilla.com/ (SEC_ERROR_BAD_DER) due to Palo Alto firewall
(Reporter)

Comment 3

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #1)
> It looks like the encoding of the public key from the certificate (emailed
> privately) is incorrect. It should be a sequence of two positive integers,
> but the first bit of the encoding of the first integer is set, indicating
> that it is negative. Basically, whatever created that certificate did so
> incorrectly. I believe the change that enforces this in mozilla::pkix is
> here:
> https://hg.mozilla.org/mozilla-central/diff/3fe8d7d7f9f7/security/pkix/lib/
> pkixcheck.cpp#l1.177 . Since this landed in 38, I'm not sure why there would
> be a difference between 47 and 48 as you mentioned on IRC.
> 
> Unfortunately, I can't think of a workaround that would be effective other
> than running your own MITM proxy and chaining the two of them together.

¡Hola David!

So a Palo Alto bug it seems?

Found a couple of paloaltonetworks.com folks so ni? them FWIW...

¡Gracias!
Alex
Flags: needinfo?(zwang)
Flags: needinfo?(bqu)
(Reporter)

Comment 4

2 years ago
¡Hola!

FWIW as of Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 ID:20160601030219 CSet: 25321494921c824703a605127fb1f99b1faf5910 the message has morphed to:

"Secure Connection Failed

An error occurred during a connection to crash-stats.mozilla.com. The server presented a certificate that contains an invalid encoding of an integer. Common causes include negative serial numbers, negative RSA moduli, and encodings that are longer than necessary. Error code: MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING"

¡Gracias!
Alex
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.