171279 - Cannot reach site whose cert lacks server authentication OID

Status: VERIFIED DUPLICATE of bug 172036

(Core Graveyard :: Security: UI, defect)

Description

[John Unruh]

Some clues
1.) The error message is:
'Could not establish an encrypted connection because certificate presented by 
www.cu-webssl.net is invalid or corrupted. Error Code:-8101'
2.) IE6 and Navigator 4.8 can reach the web site.
3.) nelsonb's tstclnt shows that the brand of server (WebSite/3.5.11) is not TLS 
intolerant. 
4.) The error -8101 shows "Certificate type not approved for application."
5.) SSLTAP does not finish the output and return me to the prompt.
6.) IE6's Enhanced Key Usage shows "Unknown Key Usage(2.16.840.1.113730.4.1)"
7.) The cert is 
subject DN: 
CN=www.cu-webssl.net, 
OU=Internet Services, 
O="Apex Data Systems, Inc.", 
L=Indianapolis, 
ST=Indiana, 
C=US
issuer  DN: 
OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
OU=VeriSign International Server CA - Class 3, 
OU="VeriSign, Inc.", 
O=VeriSign Trust Network

Comment 1

[Terry Hayes]

I looked at the certificates.  The server certificate includes an Extended Key 
Usage extension that does not have the SSL Server and SSL Client OIDs.  
Therefore the certificate is being rejected.

The server is sending the intermediate certificate, so is not a 
misconfiguration problem.

The key usage value (2.16.840.1.113730.4.1) is the Netscape "Step-up" OID, 
which indicates that domestic-level security may be used on this site.  

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

On the basis of Terry's analysis, I agree that this chain is invalid.
So, why does C4.x and IE6 approve of it?

Comment 3

[John Unruh]

Dupe.

*** This bug has been marked as a duplicate of 172036 ***

Comment 4

[John Unruh]

Verified.

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

*** Bug 224844 has been marked as a duplicate of this bug. ***

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

Changed summary to reflect the problem.