Closed
Bug 1484662
Opened 7 years ago
Closed 7 years ago
Incorrect instances of MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
INVALID
| Tracking | Status | |
|---|---|---|
| firefox63 | --- | affected |
People
(Reporter: djc, Unassigned)
Details
I've recently been seeing several instances of this error, but I believe this may be erroneous. For now, I see the following sites that have this problem:
https://www.paypal.com/
https://www.startvragenlijst.nl/
Here's the certificate chain from PayPal:
https://www.paypal.com/
An additional policy constraint failed when validating this certificate.
HTTP Strict Transport Security: true
HTTP Public Key Pinning: false
Certificate chain:
-----BEGIN CERTIFICATE-----
MIIHZDCCBkygAwIBAgIQV8t+FeLj4kTYKwFjKUbr8DANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTcwOTIyMDAwMDAwWhcNMTkxMDMw
MjM1OTU5WjCCAQkxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
VQQFEwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UEEQwKOTUxMzEtMjAyMTET
MBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2UxFjAUBgNVBAkM
DTIyMTEgTiAxc3QgU3QxFTATBgNVBAoMDFBheVBhbCwgSW5jLjEUMBIGA1UECwwL
Q0ROIFN1cHBvcnQxFzAVBgNVBAMMDnd3dy5wYXlwYWwuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv/eYS06q8i/Gd6smdmAuq1C9R/+LfLdKdQ2B
90biawOf5Af/wKzlFXwLgarQMoiwWE7rwRPMJ90aJ0Do+BY5mk1V1Q1HfNFY20GO
QQ4+8jsFeF2LvyhxQRHJFNvl4qqAhNDopyyqwgbI3NMYNUKgR9W1uldmwwEfwTpY
6DmU9V5Qc362hEUn/FJM7x4yMBMM9ZPluaigHAWpabekBye5bjCZOm8z1/8krgIS
CPhVPzDsol+TNIurBeaN1ZO+k3g+l6hm3Kklm/AYGvqugJnGD+Jnqiao7ej/RY9F
DsjDKFESphceJ8hhccc0QNDJuklym71XzerVhmNRHUgUcL7U1QIDAQABo4IDVjCC
A1IwfAYDVR0RBHUwc4ISaGlzdG9yeS5wYXlwYWwuY29tggx0LnBheXBhbC5jb22C
DGMucGF5cGFsLmNvbYINYzYucGF5cGFsLmNvbYIUZGV2ZWxvcGVyLnBheXBhbC5j
b22CDHAucGF5cGFsLmNvbYIOd3d3LnBheXBhbC5jb20wCQYDVR0TBAIwADAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMG8GA1Ud
IARoMGYwWwYLYIZIAYb4RQEHFwYwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5
bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9y
cGEwBwYFZ4EMAQEwHwYDVR0jBBgwFoAUAVmr5906C1mmZGPWzyAHV9WR52owKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcmwwVwYIKwYB
BQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc3Iuc3ltY2QuY29tMCYGCCsG
AQUFBzAChhpodHRwOi8vc3Iuc3ltY2IuY29tL3NyLmNydDCCAX4GCisGAQQB1nkC
BAIEggFuBIIBagFoAHUA3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswA
AAFeq4VXsQAABAMARjBEAiAH40DnKjw47PT7fbyZI7rWOQ17h0zwi6yIdhaYre2s
NAIgXqRa9r3Q8k13MTFllMEsLRYtTIrzqixjOiaUj1wEMrQAdwCkuQmQtBhYFIe7
E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAV6rhVfsAAAEAwBIMEYCIQDkVDC3InUu
az/pZV1Ziw6fRJ2MBbH7EddZmDw16lLqngIhAL0HbHhbgf9FboxomUFyweU2cYEA
hR0qxP2efYXA1Y9qAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csA
AAFeq4VZsAAABAMARzBFAiEA1YzTEeYIqsyYNfztSfA0i+JoDWZljx1Wen7HNRnR
twoCIGqWIuxjY3nlXieYGd5P/GkKImSXcJJnnHz0ANHfwmHmMA0GCSqGSIb3DQEB
CwUAA4IBAQCIdXzujG+e49q5QFN47VcRTOQ/EUrD2oCX9PiOD46xc2eD3j6eLIVr
ArVzSCZNQ9cEvcd9xNwDuAs1fDksQiSz3BV49lRw/OCb9Z8wCLAvS/GhSZYIdlyu
3D6VDRqJDNoyrSpL12NQjAzjCOxveFVnBWhlIjnjfjbZkNI9BjbH3u701t3aw/us
Q/4vHGSb4t3AiYtSmI0O9gkt5E1inBYilvtoW5SHh84YfkFgeaQXPnHysaIG2HHY
Mwtq1GdoJD66xiGUXWr2IYRf0P+s5D2qrZWF/EtpMHK3uk3aOu3ZfUAdAim41QwJ
ng10i/piAkqIbnwTVrqZPxN4SIKsQ45h
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgIQfuFKb2/v8tN/P61lTTratDANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB3MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVjIENs
YXNzIDMgRVYgU1NMIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDYoWV0I+grZOIy1zM3PY71NBZI3U9/hxz4RCMTjvsR2ERaGHGOYBYmkpv9
FwvhcXBC/r/6HMCqo6e1cej/GIP23xAKE2LIPZyn3i4/DNkd5y77Ks7Imn+Hv9hM
BBUyydHMlXGgTihPhNk1++OGb5RT5nKKY2cuvmn2926OnGAE6yn6xEdC0niY4+wL
pZLct5q9gGQrOHw4CVtm9i2VeoayNC6FnpAOX7ddpFFyRnATv2fytqdNFB5suVPu
IxpOjUhVQ0GxiXVqQCjFfd3SbtICGS97JJRL6/EaqZvjI5rq+jOrCiy39GAI3Z8c
zd0tAWaAr7MvKR0juIrhoXAHDDQPAgMBAAGjggFdMIIBWTAvBggrBgEFBQcBAQQj
MCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wEgYDVR0TAQH/BAgw
BgEB/wIBADBlBgNVHSAEXjBcMFoGBFUdIAAwUjAmBggrBgEFBQcCARYaaHR0cDov
L3d3dy5zeW1hdXRoLmNvbS9jcHMwKAYIKwYBBQUHAgIwHBoaaHR0cDovL3d3dy5z
eW1hdXRoLmNvbS9ycGEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3MxLnN5bWNi
LmNvbS9wY2EzLWc1LmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx
GjAYBgNVBAMTEVN5bWFudGVjUEtJLTEtNTMzMB0GA1UdDgQWBBQBWavn3ToLWaZk
Y9bPIAdX1ZHnajAfBgNVHSMEGDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzANBgkq
hkiG9w0BAQsFAAOCAQEAQgFVe9AWGl1Y6LubqE3X89frE5SG1n8hC0e8V5uSXU8F
nzikEHzPg74GQ0aNCLxq1xCm+quvL2GoY/Jl339MiBKIT7Np2f8nwAqXkY9W+4nE
qLuSLRtzsMarNvSWbCAI7woeZiRFT2cAQMgHVHQzO6atuyOfZu2iRHA0+w7qAf3P
eHTfp61Vt19N9tY/4IbOJMdCqRMURDVLtt/JYKwMf9mTIUvunORJApjTYHtcvNUw
LwfORELEC5n+5p/8sHiGUW3RLJ3GlvuFgrsEL/digO9i2n/2DqyQuFa9eT/ygG6j
2bkPXToHHZGThkspTOHcteHgM52zyzaRS/6htO7w+Q==
-----END CERTIFICATE-----
I see this working in current Chrome (68), but not in Firefox Nightly, which makes me believe it's not simply an issue with a Symantec certificate.
I wasn't sure whether to file in NSS or Core, please move it if that makes more sense. This happened with 63.0a1 (2018-08-19) (64-bit) on macOS.
|
||
Comment 1•7 years ago
|
||
Both pages use Symantec certs are correctly classified with the error. Both sites fail to load in Chrome Canary with the expected error (ERR_CERT_SYMANTEC_LEGACY).
Pages that are affected by this are collected in bug 1484006. paypal.com is on there already.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•