Closed Bug 188864 Opened 22 years ago Closed 22 years ago

Expired certificate gives error (8054)

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: ervin.nemeth+org.mozilla.bugzilla, Assigned: wtc)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030113
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030113

Instead of presenting the certificate management window, Mozilla gives an
error-popup if SSL server-certificate is expired.

This is happening since the weekend and makes impossible to connect to a server
with an expired cert.

I'm experincing this with IMAPS but if I try the browser with https://host:993
the same happens.

Reproducible: Always

Steps to Reproduce:
Connect to the server with MailNews/IMAPS or Browser/HTTPS.
Actual Results:  
"Error establishing encrypted connection to host.dom.ain. Error Code: -8054"

Expected Results:  
"There was a problem with the host certificate.  Should I connect anyway?"
I've new info.  The expired certificate was deleted on the server and a new,
self-signed one was generated instead.  But the new certificate has the same
serial number.

The workaround was to delete the cert in Mozilla's Certificate Manager.

I'm still on the opinion that Mozilla should ask the user if the user is
trusting the site and to continue the connection or not.
Severity: major → normal
-8054 is the new NSS error code SEC_ERROR_REUSED_ISSUER_AND_SERIAL.
It is intended to report the exact condition described in comment
#1: a new cert with the same issuer and serial number as an old
cert is encountered.

The new self-signed SSL server cert should use a different serial
number.  Deleting the old cert in Mozilla's certificate manager
also works.

This is not a bug in NSS.  Marked the bug invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
But this situation should not prevent the user to make connection to the server.
 This is the real issue.
Actually, IMO, it should.  Certificates should _never_ have the same issuer and
serial number.  NSS is designed around the notion that certificates can be
indexed by issuer/serial without conflict.  Thus it is impossible to introduce a
cert with the same issuer/serial as an existing cert, which is why the error
dialog appears, and why deleting the stored cert works.

At best, the error dialog could offer the option of automatically deleting the
pre-existing cert, but that's just encouraging bad behavior.  People should stop
reissuing certs with the same issuer/serial.
Just some thoughts.  If Mozilla is refusing toconnect to a badly configured
site, it is penalizing the user, not the site administrator.  Ian, I don't know
how correct your soultion is, but _at least_ this should be implemented.  Or the
warning dialog should give some hints how to remove the previous cert.

An average user has no idea of cert serial numbers.

NSS is designed to provide SECURITY, not merely encrypted connectivity.

With the badly made cert, NSS _CANNOT_ provide you cryptographic assurances
that you're actually talking to the server you think you are, and only that
server.  It is possible for a "Man in the middle" attacker to succesfully
intercept, read, and even modify traffic between you and the server.

So, NSS is behaving properly by denying the "secure" connection.  
To allow the connection would provide a FALSE appearance of security. 
*** Bug 189440 has been marked as a duplicate of this bug. ***
*** Bug 189697 has been marked as a duplicate of this bug. ***
*** Bug 189983 has been marked as a duplicate of this bug. ***
re: nelson's comment 6, sure, the connection should not automatically go
through.  but "Error Code: -8054" hardly lets the user know what's up so they
can clue the webmaster in.  can we re-open this bug and track the fact that the
alert that is popped up sucks?  the alert needs to provide information to let
the user continue to be productive.
There's already a separate bug about the error dialog being inadequate.
You can add comments to it.  Bug 188363
http://bugzilla.mozilla.org/show_bug.cgi?id=188363
You need to log in before you can comment on or make changes to this bug.