Closed Bug 1473947 Opened 7 years ago Closed 7 years ago

Cert chain doesn't verify

Categories

(DevTools :: Netmonitor, defect, P4)

Product:
DevTools
Component:
Netmonitor
Version:
60 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: d3ck0r, Unassigned)

Details

Attachments

(6 files)

common-name-failed.png
47.12 KB, image/png
Details
common-name-failed-chrome.png
134.29 KB, image/png
Details
certificateinfo.txt
7.92 KB, text/plain
Details
chatment.com-info.png
244.90 KB, image/png
Details
view certificate button-doesn't work.png
60.72 KB, image/png
Details
certs+ossltest.zip
9.22 KB, application/x-zip-compressed
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180605171542 Steps to reproduce: I get the error An error occurred during a connection to 198.143.191.26:8001. Certificate extension value is invalid. Error code: SEC_ERROR_EXTENSION_VALUE_INVALID https://198.143.191.26:8001/ That is a test port that uses the cert chain directly on https:// The actual use is https://www.chatment.com , which will fail connection, and take you to steps to get the service root cert; the above error happens before chain resolution though, so that is not required or even used. This connection happens over wss:// In either https:// or ws:// connections in the developer tools, there is no way to check the certificates. It would be really wonderful if there was a website I could past my PEMs in a chain and get detailed information about what exactly is failing. Actual results: Connection failed. Clicking on the information button in the address bar for more information does not show the certificate. Expected results: Using www.chatment.com; get taken to steps to install the service trust root cert, reload, and then get wss:// connections securely.
As far as I can tell you want a way to inspect certificate data more easily on failed connections, and you're not reporting a security bug, so I'm unhiding this report.
Group: firefox-core-security
Component: Untriaged → Netmonitor
Product: Firefox → DevTools
I'd like to know why the cert chain doesn't verify. I was trying to post this on https://groups.google.com/forum/#!forum/mozilla.dev.tech.crypto It's easiest to just give you the work-in-progress link... This is the site I'm working on. https://www.chatment.com/ This is the error I get An error occurred during a connection to 198.143.191.26:<some port>.Certificate extension value is invalid.Error code: SEC_ERROR_EXTENSION_VALUE_INVALID on the wss:// connection to the services. I found https://wiki.mozilla.org/SecurityEngineering/x509Certs SEC_ERROR_EXTENSION_VALUE_INVALID A certificate has an extension with an empty value Re-generate the certificate without the extension, or re-generate it with a non-empty value I managed to catch the certificates in wireshark, and there are extensions, and all of them have a value. So it's probably that there's some extension that's not there...
(In reply to d3ck0r from comment #0) > An error occurred during a connection to 198.143.191.26:8001. Certificate > extension value is invalid. Error code: SEC_ERROR_EXTENSION_VALUE_INVALID Where exactly did you get that error? > It would be really wonderful if there was a website I could past my PEMs in > a chain and get detailed information about what exactly is failing. A website? How is that related to the DevTools & Network panel? > Connection failed. > Clicking on the information button in the address bar for more information > does not show the certificate. Can you please post a screenshot of what you see on the screen? > Using www.chatment.com; get taken to steps to install the service trust root > cert, reload, and then get wss:// connections securely. Can you provide more info about what steps/how/by devtools/by the browser? (In reply to d3ck0r from comment #2) > This is the error I get > > An error occurred during a connection to 198.143.191.26:<some > port>.Certificate extension value is invalid.Error code: > SEC_ERROR_EXTENSION_VALUE_INVALID Where exactly do you see the error? When selecting the ws: request in the Network panel and consequently selecting the Security side panel, I am seeing: An error occurred: SEC_ERROR_EXTENSION_VALUE_INVALID Could we somehow improve this sidepanel to solve the issue? Honza
Priority: -- → P4
Attached image common-name-failed.png
An error occurred during a connection to 198.143.191.26:8001. Certificate > extension value is invalid. Error code: SEC_ERROR_EXTENSION_VALUE_INVALID Where exactly did you get that error? That is a copy of the error logged in the console. A website? How is that related to the DevTools & Network panel? Because it's diagnosing how the client is failing. It's failing to resolve the certificate chain in the first place, and there's no information about what is empty or assumed to be empty. (in this case the cert common name does NOT match; and this is all the info I can get from firefox) https://drive.google.com/open?id=115PAwFZlXtkZe3qLWl_6iQ2g3t0kGRNC This is the same connection/cert error in chrome; which allows me to view the certificate details also. https://drive.google.com/open?id=1fSrkyJAxCoMpXwH75cnobugFiAVsmCb_ I don't have issues verifying the initial chain given I thought I had attached a copy of the cert chain as a file.... I'm digging that up.
Attached file certificateinfo.txt
certificateinfo.txt is the full chain includnig the self-signed root that is failing. IE, Chrome, node, all have no issues; so since firefox is the one with the issue, a list of 'checking item' 'result' would be nice to have (no other browser even has that) ... |checking item | result | |----|----| | Valid from | pass | | Valid until | pass | (maybe if fail, the date that is in the cert) | Common Name | <site> matches/does not match <info from cert> | | Extensino XXX | .....???...... |
can noone just give me a quick answer so I can fix my cert generation? While improvement of information available to the end user about certificate failure would be a great thing, I do need to move forward....
Oh and I don't really want to download and build and debug it myself...
I had a mercurial clone from 1-18-2016; between then and now, the server fingerprint changed; and I couldn't figure out how to clear mercurial's idea of valid fingerprints; so gave up and just deleted the old and re-cloned the repo. Now it wants visual studio 15.6+ isntalled. That's not an option for community; it claims update 5 is the latest. I do see there's update 15.8.3 even but the only choice I'm given with the installer is 15.7.5. https://docs.microsoft.com/en-us/visualstudio/releasenotes/vs2017-relnotes I guess I can install preview.... Installing — Visual Studio Community 2017 Preview — 15.8.0 Preview 4.0
./mach build finds the preview version.... 0:02.79 checking for the target C compiler... 'C:/PROGRA~2/MICROS~2/Preview/Community/VC/Tools/MSVC/14.15.26629/bin/HostX64/x86/cl.exe' but still complains. 0:02.86 ERROR: This version (19.15.26629) of the MSVC compiler is not supported due to compiler bugs. 0:02.86 You must install Visual C++ 2017 Update 6 in order to build.
You can use a site like this: https://whatsmychaincert.com/?198.143.191.26:8001 to check your chain. It's giving more specific information: An error occurred when building the chain for this certificate. The certificate might lack necessary meta-data or its certificate authority might be malfunctioning. Details: * The chain contains an untrusted certificate without standard CA issuer information (subject = "C=US, ST=NV, L=Las Vegas, OU=Secure Services, O=Karaway, CN=Chatment Core HTTP"; issuer = "C=US, ST=NV, L=Las Vgeas, OU=Secure Services, O=Karaway, CN=Chatment CA Cert"; error code = 20) https://www.sslshopper.com/ssl-checker.html#hostname=https://198.143.191.26:8001/ Provides information as well. It's saying that your top level CA is not linked to a trusted root.
The tyipcal usage is to not include the root certificate as part of the chain (the last cert in the file) and to import that as a trusted root certificate. That is not the error that is being generated. And again, I have no issues connecting (after installing the root certificate in the trusted stores in windows or on android) - and the error changes to the one I've listed in the first case that gives no details. SEC_ERROR_EXTENSION_VALUE_INVALID - Think that is actually 'root cert not installed?' no.
I have since updated the https://chatment.com to use the new redirect auth method; so just connecting to the page, a background websocket connection fails, and jumps the main page to the end where infomation about installing the root cert is included; even added a section for firefox which has its own managment. A wss:// socket shows very little information in the debug panel - trying to get any info about the websocket failure I think has a single line like 'An error occurred: SEC_ERROR_EXTENSION_VALUE_INVALID' (adding screenshot)
Attached image chatment.com-info.png
The console output Firefox can’t establish a connection to the server at wss://198.143.191.26:39291/. There's more information atempting to connect with https. (the port specified is random and cannot be used without proper negotiation). Although I did notice could use https://198.143.191.26:8001 .... which shows this on the page... ----- Secure Connection Failed An error occurred during a connection to 198.143.191.26:8001. Certificate extension value is invalid. Error code: SEC_ERROR_EXTENSION_VALUE_INVALID The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. ----
There is a info panel you can get on a https connection (clicking the icon on the left side of the address bar) that in the dialog, there is 'View Ceritifcate' clicking this button does nothing.
Attached file certs+ossltest.zip
Can even break them into seprate files and use openssl command line to verify c:\tools\unix\OpenSSL64\openssl.exe verify -CAfile root.txt -untrusted ca.txt cert.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf cert.txt: OK (attached file has new cert; the original chain will have expired, given that the cert only lives for 7 days.
So, anyone have any ifnromation why firefox is failing to verify the cert chain? I managed to get firefox to build, but adding printf, I realized there was no way to capture that redirection, tried setting a breakpoint in the relavent code, but, since firefox opens 4 instances, I guess I wasn't attached to the actual one that did the request. I tried adding MessageBox in the area, but didnt' get any of those trigered anyway. How is any debugging done on firefox?
Wondering if Dana has any insight...
Flags: needinfo?(dkeeler)
In the intermediate and root certificate, the basicConstraints extension is encoded incorrectly. Under DER rules, BOOLEAN values must be encoded with every bit set to 1: https://www.itu.int/ITU-T/studygroups/com10/languages/X.690_1297.pdf (section 11.1). Interestingly, the keyUsage extensions are encoded correctly. https://github.com/awslabs/certlint is a utility that might have been helpful in narrowing down the error, although all it says is "BasicConstraints is not encoded using DER" without any further details.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → INVALID
What was missing... Certificate Policies extension NID_certificate_policies now get this error... which is fixable, but so much more meaningful. --- An error occurred during a connection to localhost:8085. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL --- Still; on the address bar, on the left side is a (I) which, which clicked, can get me to 'Page Info - https://localhost:8085/' which has view certificate, but does not show the certificate. And On reload (with devtools open), this is the page that I get... --- Your connection is not secure The owner of localhost has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. --- And every time after, I get only 'connection is not secure' (expected, because unknown root cert). But I never get the REFUSED_ISSUER_AND_SERIAL again. Even after closing and restarting.
Not sure why I though I figured it out... certificates are still throwing SEC_ERROR_EXTENSION_VALUE_INVALID and that ruby cablint has 1 error that I'm sure isn't the issue (the root cert) $ ruby -I lib:ext bin/cablint ../yy.c W: BasicConstraints is not encoded using DER yy.c W: Serial numbers should have at least 20 bits of entropy yy.c I: CA certificate identified yy.c (the CA cert) $ ruby -I lib:ext bin/cablint ../a.c W: BasicConstraints is not encoded using DER a.c W: Serial numbers should have at least 20 bits of entropy a.c I: CA certificate identified a.c (the leaf certificate $ ruby -I lib:ext bin/cablint ../b.c W: Serial numbers should have at least 20 bits of entropy b.c I: TLS Server certificate identified b.c W: TLS Server certificates must include serverAuth key purpose in extended key usage b.c W: Certificate does not include authorityInformationAccess. BRs require OCSP stapling for this certificate. b.c E: Unqualified domain name in SAN b.c And the last one is just because i have '*.localhost' and 'localhost' and no domain... but adding the NID_certificate_policies did not actually change the issue... (it took a while for changes to propagate through the servers and for them to generate new certs) So.... Still no idea why this is failling, and what SEC_ERROR_EXTENSION_VALUE_INVALID is missing.

The message has changed... it now says _VALID_INVALID instead of missing.
There's still no information on what value is invalid.

The ewbpage says

`

Secure Connection Failed

An error occurred during a connection to chatment.com:8000. Certificate extension value is invalid. Error code: SEC_ERROR_EXTENSION_VALUE_INVALID

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

`

I've contacted myself, but I'm unable to have any useful information.
If connected with a webpage instead of websocket connection, the certificate doesn't show in page information still, so I can't even see what firefox thinks it got for a certificate.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: