Closed Bug 172036 Opened 22 years ago Closed 22 years ago

Connecting to web site with Verisign cert => error -8101

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED INVALID

People

(Reporter: KaiE, Assigned: KaiE)

References

(
URL
)

Details

Use Mozilla 1.0.1 or the latest trunk (containing NSS 3.6), both don't work. Connect to: https://www.cu-webssl.net/ Actual result: An error message is shown: 'Could not establish an encrypted connection because certificate presented by www.cu-webssl.net is invalid or corrupted. Error Code:-8101'
SEC_ERROR_INADEQUATE_CERT_TYPE = (SEC_ERROR_BASE + 91), It's quite possible that there's a problem with their ssl server cert (that IE wouldn't detect).
I am able to reproduce this bug. This bug was actually reported by an end user. There is also recent bug 171930 showing the same error message, but I can not reproduce bug 131930.
Here's the output from vfyserv (tool is built from mozilla/security/nss/cmd/vfyserv and can be used to verify that an SSL server is correctly configured, and if not, what appears to be wrong with it ). vfyserv www.cu-webssl.net Connecting to host www.cu-webssl.net (addr 209.43.18.125) on port 443 PROBLEM WITH THE CERT CHAIN: CERT 0. CN=www.cu-webssl.net, OU=Internet Services, O="Apex Data Systems, Inc.", L=Indianapolis, ST=Indiana, C=US : ERROR -8101: Certificate type not approved for application. OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Error in function PR_Write: -8157 - Certificate extension not found.
AARgh! Error -8157, cert extension not found, should NEVER be returned as an error code for PR_Write, because it's not an error that's fatal to SSL. It means that some code somewhere returned an error status (e.g. returned NULL or -1) without setting the error code properly. This may be a regression in a recent version of NSS. However, that should be the subject of another bug report.
*** Bug 171279 has been marked as a duplicate of this bug. ***
Nelson, is this then a regression in NSS and the bug should be NSS or does Kai need to investigate first. Have we determined that the cert is ok?
Assignee: ssaux → kaie
cc wtc
Stephane, I think you're asking if the appearance of error -8157 in the output of the brand-new vfyserv command indicates a regression in NSS. Without studying vfyserv, I cannot say. It may be that vfyserv code is at fault, and the NSS library is working properly. A new bug report should be filed about vfyserv. If you're asking about the -8101 error (the subject of this bug report), Terry Hayes wrote an analysis of the cert coming from the www.cu-webssl.net server. He concluded that the cert has an extension that restricts it from being used for SSL server usage. Based on that analysis, I conclude that the cert is flawed, and NSS is not. Terry notified the site's webmaster about the problem. The appearance of error -8101 when detecting an SSL server cert that is marked invalid for SSL server use (in its own cert extensions) is not a regression. All versions of NSS should have detected this flaw. If past versions of NSS did not, this is a bug fix, not a regression.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
The output of vfyserv has 2 error messages: Right under the cert in question: -8101 (and the english string describing the error). vfyserv intercepts the bad cert handler, and does lots of extra calls in that handler. It could be that those calls affect the final return code from PR_Write. Perhaps the formating could be changed to make some of these things more clear, I have tweaked a bit with the error message formatting of vfyserv because it's primary purpose is a diagnostic tool to tell you what went wrong. -8101 is the correct error for this type of certificate. bob
Bob, Neither the cert auth handler nor the bad cert handler should leave the final error code with the value -8157 Certificate extension not found. I suggest vfyserv's bad cert handler might call PORT_GetError at the beginning to have the original error code, and then call PORT_SetError to restore the error code to the initial value before returning.
The reason that vfyserv was dislaying error -8157, Certificate extension not found, is that the auth cert handler calls printCertProblems, which calls CERT_VerifyCert to build an error log. When CERT_VerifyCert builds an error log it nearly always leaves the error code set to -8157 Certificate extension not found. I think that's a bug that should be fixed. But in the meantime, I changed printCertProblems to save the real error code before building the error log, and to restore it afterwords. Also note that the website cited above has apprently reverted to another older certificate, so the error described above is no longer reproducible at the URL cited above.
Verified.
Status: RESOLVED → VERIFIED
I wrote a test program to let me verify arbitrary chains of certs in files with NSS. I built it with NSS 3.6 and with NSS 3.3.x (latest version) and they both produce the same error with the offending cert, so this is NOT a change in NSS behavior.
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.