mozilla::pkix: the extension "Microsoft Application Policies" should be ignored even if critical, if eku is present
Categories
(NSS :: Libraries, defect, P5)
Tracking
(Not tracked)
People
(Reporter: oron, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Steps to reproduce:
I am trying to access intranet sites using TLS with certificates generated by a Microsoft product using some kind of template.
Actual results:
Firefox fails to securely connect with SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION due to the section "Microsoft Application Policies" being marked as critical. This does not occur in other browsers or any other software.
Expected results:
Firefox should ignore this critical extension if "Extended Key Usage" is also present, as per Microsoft's documentation here: https://learn.microsoft.com/en-us/windows/win32/seccertenroll/supported-extensions#msapplicationpolicies
I know this is Microsoft's fault, but Firefox is the only software that has this issue. (Also, since Firefox has very low market share in the organization, there is no incentive to fix the certificates)
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•1 year ago
|
||
Hello,
Since the issue does not appear to be related to webextensions I’m going to change the product of this report to a more appropriate one (Firefox), however, in case of error, please revert the changes or move the report to the correct product/component.
Thank you !
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
Finally I find the reason that firefox does not work in my company's intranet.
It would be great if this get fixed.
| Comment hidden (off-topic) |
|
|
||
Comment 5•11 months ago
|
||
Comment 4 gives instructions to allow anyone to intercept and decrypt all of your browser's traffic, so definitely don't do that.
Description
•