about:certificate failing on unknown entries in subject field
Categories
(Firefox :: Security, defect, P3)
Tracking
()
People
(Reporter: spire666, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
Import Intermediate CA cert to Firefox to identify Websites.
(In my case a eliptic curve, secp384r1, SHA512 encrypted cert)
Go to my server with SSL self signed cert.
(Same encryption level)
View server certificate.
Actual results:
about:certificate opens with this message: Something went wrong.
We were unable to find the certificate information, or the certificate is corrupted. Please try again.
Expected results:
It should actually be able to show this self signed certificate. No matter if valid, or not. I have to use chrome to show the certificate
|
||
Comment 1•5 years ago
|
||
Setting a component for this issue in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
Is it possible for you to share the full about:certificate url (including the encoded certificate)?
Thanks!
Hello, thats the URL
about:certificate?cert=MIIEhTCCA%2BegAwIBAgIBBDAKBggqhkjOPQQDBDCBijELMAkGA1UEBhMCREUxCzAJBgNVBAgMAkJBMQwwCgYDVQQHDANXVUUxHDAaBgNVBAoME3ZhbGhhbGwgZW50ZXJwcmlzZXMxIjAgBgkqhkiG9w0BCQEWE21pY2hhZWxib3Jla0B3ZWIuZGUxHjAcBgNVBAMMFWludGVybWVkaWF0ZS1PcG5zZW5zZTAeFw0yMDA5MTcwODMwNTFaFw0yNjAzMTAwODMwNTFaMIIBADELMAkGA1UEBhMCREUxCzAJBgNVBAgMAkJBMQwwCgYDVQQHDANXVUUxHDAaBgNVBAoME3ZhbGhhbGwgZW50ZXJwcmlzZXMxIjAgBgkqhkiG9w0BCQEWE21pY2hhZWxib3Jla0B3ZWIuZGUxHjAcBgNVBAMMFWhlaW1kYWxsLnZhbGhhbGwudGVjaDF0MHIGA1UdEQxrSVA6MTkyLjE2OC4xLjEsSVA6MTkyLjE2OC41MC4xLElQOjE5Mi4xNjguMTAwLjEsRE5TOmhlaW1kYWxsLnZhbGhhbGwudGVjaCxVUkk6aHR0cHM6Ly9oZWltZGFsbC52YWxoYWxsLnRlY2gwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQy84HjDX%2BxJgYaN7kWZ74VJD1xPThhMYXd6%2Fxx%2FcA%2BKw3cDPl%2BT5sn2WgIDPhCmVe5HBrbu%2Fu9kckMEE5zlNtADv9wtSYZm4ICJQMCE8ra%2BmduT%2BzhzUpiNTqAd0DiVaGjggGmMIIBojAJBgNVHRMEAjAAMBEGCWCGSAGG%2BEIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlT1BOc2Vuc2UgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMV8h5%2FZWdBl7M9KOMv9SeI78nmMwga0GA1UdIwSBpTCBooAUiMj5W7s0UZurliK08SsrFTGz9rOhgYakgYMwgYAxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCQTEMMAoGA1UEBwwDV1VFMRwwGgYDVQQKDBNWYWxoYWxsIEVudGVycHJpc2VzMSIwIAYJKoZIhvcNAQkBFhNtaWNoYWVsYm9yZWtAd2ViLmRlMRQwEgYDVQQDDAtJbnRlcm5hbC1DQYIBATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUIAgIwCwYDVR0PBAQDAgWgMFEGA1UdEQRKMEiHBMCoAQGHBMCoMgGHBMCoZAGCFWhlaW1kYWxsLnZhbGhhbGwudGVjaIYdaHR0cHM6Ly9oZWltZGFsbC52YWxoYWxsLnRlY2gwCgYIKoZIzj0EAwQDgYsAMIGHAkIAiB1C00Pr8qy7alzkmMmVp8x0vhbPf4CBT%2FMbr9SbrH8V6XAhokTwzcRv%2FCJFEghLIn7Tf8VruyjYbVtCR2FGGr0CQROB74RAgv72siU78ZAG9BMpK0ZXo8fx%2BEn4RB4GDtXzZr0Wv6yX%2FI1FvKe3lw6a1I5jHWKKSWJmrBZxnBatgqAi&cert=MIIDDjCCAm%2BgAwIBAgIBATAKBggqhkjOPQQDAzCBgDELMAkGA1UEBhMCREUxCzAJBgNVBAgMAkJBMQwwCgYDVQQHDANXVUUxHDAaBgNVBAoME1ZhbGhhbGwgRW50ZXJwcmlzZXMxIjAgBgkqhkiG9w0BCQEWE21pY2hhZWxib3Jla0B3ZWIuZGUxFDASBgNVBAMMC0ludGVybmFsLUNBMB4XDTIwMDgwMjA3NDgxOFoXDTM0MDQxMTA3NDgxOFowgYoxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCQTEMMAoGA1UEBwwDV1VFMRwwGgYDVQQKDBN2YWxoYWxsIGVudGVycHJpc2VzMSIwIAYJKoZIhvcNAQkBFhNtaWNoYWVsYm9yZWtAd2ViLmRlMR4wHAYDVQQDDBVpbnRlcm1lZGlhdGUtT3Buc2Vuc2UwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAAKxNjUruJRLkIYhoJCROvS3H32NFmH5B4ZIni%2BP%2BM2i6sA4pVc%2B4refHtwKvw%2FDtXRs3ZGSQqrNJcX6XvFz5PloACwPul1VdxA3xrFU80JbtAE008ywpMVZOaAtDsV6dHTVBnNfyrkhNhRfGbTpw2%2B8WwZWchr3xn6veWTSMqppw2ECKOBijCBhzA3BglghkgBhvhCAQ0EKhYoT1BOc2Vuc2UgR2VuZXJhdGVkIENlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUiMj5W7s0UZurliK08SsrFTGz9rMwHwYDVR0jBBgwFoAUFjs9qc1Xj2OaapX51MxQEhi9Fc0wDAYDVR0TBAUwAwEB%2FzAKBggqhkjOPQQDAwOBjAAwgYgCQgHHSvIXjWV2VBx1MfsVhuURYJDJzCfCJGdh8tJH4DBcsRxcVF4vfrqJGUccpKeidd7YmZ4wnsa6EmmIffO9Lbz15gJCAdvYGtHUh0PRQgQ75ga9UZJsNpWUSi27SysG8DDp6%2B0eEZZt2V%2FN4A5Focpa4WPjQI8dqi76r656C%2FLHKaoHIQIC
|
|
||
Comment 4•5 years ago
|
||
Looks like the subject field contains the following DN:
c=DE, s=BA, l=WUE, o=valhall enterprises, e=<redacted email>, cn=heimdall.valhall.tech, OID.2.5.29.17=IP:192.168.1.1,IP:192.168.50.1,IP:192.168.100.1,DNS:heimdall.valhall.tech,URI:https://heimdall.valhall.tech
Where the last part seems a bit fishy. I'm definitely not an expert on X.509 but I don't feel like that's supported syntax and in any case our certificate parser is tripping over it. I wonder what other cert viewers display for the subject here. April can probably speak more to this.
The easiest way to solve this in the short term is to just ignore undefined values here and avoid rendering them. Again, maybe this is actually valid and we need to fix pki.js to improve the parsing there.
This is self signed and the last part has been added by me.
It worked for some months already with older versions of firefox ESR
|
||
Comment 6•4 years ago
|
||
This is a duplicate of: 1617458
When creating a certificate with OPNsense, it will put the alternate names not only in the Subject Alt Names extension field, but also in the subjectAltName attribute of the subject field. This is uncommon, but allowed by the spec.
|
||
Updated•4 years ago
|
Description
•