Closed Bug 1256982 Opened 10 years ago Closed 9 years ago

Can't load https://crash-stats.mozilla.com/ (SEC_ERROR_BAD_DER) due to Palo Alto firewall

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
48 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox48 --- affected

People

(Reporter: alex_mayorga, Unassigned, NeedInfo)

References

Details

¡Hola! This network uses a Palo Alto thing to MIM all certificates and I can't get to https://crash-stats.mozilla.com/ on Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 ID:20160315030230 CSet: 5e14887312d4523ab59c3f6c6c94a679cf42b496 Developer Edition gives SEC_ERROR_UNKNOWN_ISSUER and let's me store the exception and go on my merry way. ¡Gracias! Alex
It looks like the encoding of the public key from the certificate (emailed privately) is incorrect. It should be a sequence of two positive integers, but the first bit of the encoding of the first integer is set, indicating that it is negative. Basically, whatever created that certificate did so incorrectly. I believe the change that enforces this in mozilla::pkix is here: https://hg.mozilla.org/mozilla-central/diff/3fe8d7d7f9f7/security/pkix/lib/pkixcheck.cpp#l1.177 . Since this landed in 38, I'm not sure why there would be a difference between 47 and 48 as you mentioned on IRC. Unfortunately, I can't think of a workaround that would be effective other than running your own MITM proxy and chaining the two of them together.
See Also: → 1257031
(Updating summary to make it clear the error is due to a Palo Alto thing. I don't have evidence that says it really is a firewall, but according to the Palo Alto website, that's what they sell...)
Summary: Can't load https://crash-stats.mozilla.com/due to SEC_ERROR_BAD_DER → Can't load https://crash-stats.mozilla.com/ (SEC_ERROR_BAD_DER) due to Palo Alto firewall
(In reply to David Keeler [:keeler] (use needinfo?) from comment #1) > It looks like the encoding of the public key from the certificate (emailed > privately) is incorrect. It should be a sequence of two positive integers, > but the first bit of the encoding of the first integer is set, indicating > that it is negative. Basically, whatever created that certificate did so > incorrectly. I believe the change that enforces this in mozilla::pkix is > here: > https://hg.mozilla.org/mozilla-central/diff/3fe8d7d7f9f7/security/pkix/lib/ > pkixcheck.cpp#l1.177 . Since this landed in 38, I'm not sure why there would > be a difference between 47 and 48 as you mentioned on IRC. > > Unfortunately, I can't think of a workaround that would be effective other > than running your own MITM proxy and chaining the two of them together. ¡Hola David! So a Palo Alto bug it seems? Found a couple of paloaltonetworks.com folks so ni? them FWIW... ¡Gracias! Alex
Flags: needinfo?(zwang)
Flags: needinfo?(bqu)
¡Hola! FWIW as of Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 ID:20160601030219 CSet: 25321494921c824703a605127fb1f99b1faf5910 the message has morphed to: "Secure Connection Failed An error occurred during a connection to crash-stats.mozilla.com. The server presented a certificate that contains an invalid encoding of an integer. Common causes include negative serial numbers, negative RSA moduli, and encodings that are longer than necessary. Error code: MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING" ¡Gracias! Alex
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.