“disabled signature algorithm” error on some websites with sha256WithRSAEncryption certificates

RESOLVED INVALID

Status

()

Core
Security: PSM
RESOLVED INVALID
a year ago
a year ago

People

(Reporter: Lucas Werkmeister, Unassigned)

Tracking

53 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8835761 [details]
pcap of connection to github.com

Since upgrading Firefox Developer Edition from version 52 to 53, I get a SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED on various websites, including github.com, wikipedia.org and bugzilla.mozilla.org. According to openssl (s_client + x509), they all use the signature algorithm sha256WithRSAEncryption, but so do many other websites that still work, including my personal website (lucaswerkmeister.de).

The bug only occurs in my main profile (I am reporting this bug from a second profile, which can connect to bugzilla.mozilla.org without problems), but persists there even if I restart it in Safe Mode.

I can’t find any non-default settings in my about:config that might be related to this (I searched for “ssl”, “tls” and “sha256”).

I have attached a capture of a connection to github.com from a private window (tcpdump host github.com). Firefox seems to be terminating the connection rather later than the error message suggests; it accepts the server Certificate (acknowledging it with a Change Cipher Spec), and only RSTs the TCP connection after the server’s Change Cipher Spec and Encrypted Handshake Message (presumably: Finished).

Updated

a year ago
Component: Untriaged → Security: PSM
Product: Firefox → Core
If you go to the certificate manager (about:preferences -> Advanced -> Certificates -> View Certificates) do the DigiCert CAs have the expected trust bits set? (See "Authorities" and the "Edit Trust" button.) In particular, how does "DigiCert High Assurance EV Root CA" look?

Thanks!
Flags: needinfo?(lucas.werkmeister)
(Reporter)

Comment 2

a year ago
Thank you, that was the reason. Probably my fault, too – a long time ago (at least a year ago, might be two) I went through the root certificates and disabled all of them, then re-added those I actually needed. I haven’t needed to whitelist an additional root for at least half a year now, though, so I completely forgot about it. Looks like this root is now needed for some reason.

I’m closing this as RESOLVED INVALID, then. Shall I open a new bug for the confusing way the error was reported? After all, it has nothing to do with certificate *algorithms*.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(lucas.werkmeister)
Resolution: --- → INVALID
Good to hear. I think the confusing error message is an artifact of how the certificate verifier finds potential paths and the possibility of there being multiple paths to trust anchors (I imagine there's a path from many DigiCert EV end-entities to a root other than the EV one that happen to use a SHA-1 intermediate), so unfortunately it's unlikely that will be fixed.
(Reporter)

Comment 4

a year ago
You’re right, the message is probably accurate for an alternative path. No bug, then.
You need to log in before you can comment on or make changes to this bug.