Closed
Bug 188864
Opened 22 years ago
Closed 22 years ago
Expired certificate gives error (8054)
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: ervin.nemeth+org.mozilla.bugzilla, Assigned: wtc)
References
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030113 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030113 Instead of presenting the certificate management window, Mozilla gives an error-popup if SSL server-certificate is expired. This is happening since the weekend and makes impossible to connect to a server with an expired cert. I'm experincing this with IMAPS but if I try the browser with https://host:993 the same happens. Reproducible: Always Steps to Reproduce: Connect to the server with MailNews/IMAPS or Browser/HTTPS. Actual Results: "Error establishing encrypted connection to host.dom.ain. Error Code: -8054" Expected Results: "There was a problem with the host certificate. Should I connect anyway?"
Reporter | ||
Comment 1•22 years ago
|
||
I've new info. The expired certificate was deleted on the server and a new, self-signed one was generated instead. But the new certificate has the same serial number. The workaround was to delete the cert in Mozilla's Certificate Manager. I'm still on the opinion that Mozilla should ask the user if the user is trusting the site and to continue the connection or not.
Severity: major → normal
Assignee | ||
Comment 2•22 years ago
|
||
-8054 is the new NSS error code SEC_ERROR_REUSED_ISSUER_AND_SERIAL. It is intended to report the exact condition described in comment #1: a new cert with the same issuer and serial number as an old cert is encountered. The new self-signed SSL server cert should use a different serial number. Deleting the old cert in Mozilla's certificate manager also works. This is not a bug in NSS. Marked the bug invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 3•22 years ago
|
||
But this situation should not prevent the user to make connection to the server. This is the real issue.
Comment 4•22 years ago
|
||
Actually, IMO, it should. Certificates should _never_ have the same issuer and serial number. NSS is designed around the notion that certificates can be indexed by issuer/serial without conflict. Thus it is impossible to introduce a cert with the same issuer/serial as an existing cert, which is why the error dialog appears, and why deleting the stored cert works. At best, the error dialog could offer the option of automatically deleting the pre-existing cert, but that's just encouraging bad behavior. People should stop reissuing certs with the same issuer/serial.
Reporter | ||
Comment 5•22 years ago
|
||
Just some thoughts. If Mozilla is refusing toconnect to a badly configured site, it is penalizing the user, not the site administrator. Ian, I don't know how correct your soultion is, but _at least_ this should be implemented. Or the warning dialog should give some hints how to remove the previous cert. An average user has no idea of cert serial numbers.
Comment 6•22 years ago
|
||
NSS is designed to provide SECURITY, not merely encrypted connectivity. With the badly made cert, NSS _CANNOT_ provide you cryptographic assurances that you're actually talking to the server you think you are, and only that server. It is possible for a "Man in the middle" attacker to succesfully intercept, read, and even modify traffic between you and the server. So, NSS is behaving properly by denying the "secure" connection. To allow the connection would provide a FALSE appearance of security.
Comment 7•22 years ago
|
||
*** Bug 189440 has been marked as a duplicate of this bug. ***
Comment 8•22 years ago
|
||
*** Bug 189697 has been marked as a duplicate of this bug. ***
Comment 9•22 years ago
|
||
*** Bug 189983 has been marked as a duplicate of this bug. ***
Comment 10•22 years ago
|
||
re: nelson's comment 6, sure, the connection should not automatically go through. but "Error Code: -8054" hardly lets the user know what's up so they can clue the webmaster in. can we re-open this bug and track the fact that the alert that is popped up sucks? the alert needs to provide information to let the user continue to be productive.
Comment 11•22 years ago
|
||
There's already a separate bug about the error dialog being inadequate. You can add comments to it. Bug 188363 http://bugzilla.mozilla.org/show_bug.cgi?id=188363
You need to log in
before you can comment on or make changes to this bug.
Description
•