Closed Bug 191845 Opened 22 years ago Closed 21 years ago

Could not establish an encrypted connection, error -8182 or -12219

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: sagax, Assigned: ssaux)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

HTTPS sites will not load- all attempted so far - Site name changes in error
message but otherwise persists to all sites tried.  ERROR MESSAGE READS

Could not establish an encrypted connection because certificate presented by
<my.screenname.aol.com> is invalid or corrupted.  Error Code: -8182

Attempt to access intranet OWA site prompted for acceptance of internal
certificate. selected always accept | clicked OK | returned error connecting to
OWA Error code: 12204

Reproducible: Always

Steps to Reproduce:
1. Attempt to open ANY httpS site
2. Attempt to open OWA Intranet site
3.

Actual Results:  
Same as details above - every time

Expected Results:  
established a secure connection to the site or in the case of the OWA site
accepted the local cert when prompt was marked accept and OK'd

ALL tabs under Preferences | Privacy&Security | Certificates | Manage
Certificates  are vacant except Authorities.  The file cert7.db does not exist
on this computer
psm
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: bsharma → junruh
Version: Trunk → 2.4
Reporter, can you try setting up a new profile? Your cert DB may have become
corrupted. You might also want to upgrade to 1.3a, installing into a new directory.
I too am experiencing this bug - its seems to have come about in the 1.6 builds,
as 1.5 is fine. I either get error code -8182 or 12219. I have tried creating
new profiles, as well as various combinations of SSL3/TLS restrictions under
Prefs->Security->SSL -- same result always.

Here are some sample URLs:
https://www.breezeway.tv (CA signed, valid)
https://www.onnet.cc (self-signed wildcard)

Probably related to bug 225159. I hope this bug doesnt get into a 1.6 release.
Ken, 
in bug 191845, you claim to see error -8182.
In bug 225159, you claim to see error -8183.

These bugs have very different causes.  See
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1037303

Please confirm what you're seeing, and whether it is reproducible with the 
latest nightly build.  Thanks.
Summary: Could not establish an encrypted connection → Could not establish an encrypted connection, error -8182
I should have written:  these *error codes* have very different causes.

BTW, this does NOT appear to be an NSS regression.  The combination of 
mozilla 1.3.1 with the latest NSS trunk does not exhibit this problem.

On last nights build, I now get only error -12219 (not listed on the codes page)
on all the sites I had problems with. I no longer get any other code, so cant
confirm which it was... Will continue trying to dupl.

The error 12219, at least, does ONLY happen on post 1.5 builds, including last
night's...

Thanks for the link to the error codes - I must be awful at finding these things
- my searches never found this page so I hand no clue what was wrong (just a
number). Could the error codes be shown in the error dialog, beside the number?
Hmm the error code is on that page - see how bad my search skill are?

"Unspecified failure while processing SSL Client Key Exchange handshake."
Ken, On what exact URL do you get error -12219?

This error typically means that NSS thinks the public key in the server's 
cert is an invalid RSA key.  I want to see if the site's key is bad, or 
if this is an NSS bug.  NSS experienced a regression in that area 
several weeks ago, but it was fixed just a few days after it occurred.
nightly builds should not still be experiencing that bug.  

However, the subject of _this_ bug remains error -8182.
error -12219 should get its own bug report, if it is indeed a bug.
Here's several different sites, all with different certs:
https://www.breezeway.tv/ is CA signed,
https://www.onnet.cc/ is self signed,
https://home.encorehollywood.com/ is also self signed.

Ken, thanks for those URLs.  They explained what's going on.  
When I visit https://www.breezeway.tv/ I get error -12219
When I visit https://www.onnet.cc/     I get error -8182

In both cases, mozilla had detected an important problem with the certs,
and has reported it.  Mozilla is behaving correctly here.  Mozilla is 
detecting a problem with these certs that older versions of mozilla,
(and apparently current versions of other products) did/do not detect.

Both of these certs have the same problem: 
The RSA public key has a public exponent value that is the number 1 !!

When such an RSA public key is used to encrypt, no encryption whatsoever is
actually done.  That is, the "RSA encrypted" data is identical to the 
unencrypted data that was "encrypted".  This is totally insecure.

Any SSL "secure connection" done with a web site that uses such an RSA 
public key can be trivially decrypted by anyone who can record the 
connection (e.g. with a sniffer).  

So, mozilla protects its users by not allowing a "secure connection" to 
be done with those keys.  In the case of error -12219, it is detecting
the invalid RSA key when it goes to actually encrypt the SSL pre-master
secret to send to the server.  In the case of error -8182, mozilla is 
detecting the error at the point that it validates the signature on the
certificate, causing mozilla to report an invalid signature.  

So, this "bug" is not a mozilla bug at all, and I will mark it invalid.

I'm surprised to find certs in actual use with such a public key, 
especially in certs issued by well known public CAs!
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Summary: Could not establish an encrypted connection, error -8182 → Could not establish an encrypted connection, error -8182 or -12219
Wow! Finally good to here a response on this bug from an expert!

So I guess it goes without saying that this is an error that Mozilla should be
made to be much more verbose on, if possible (enless there's 10s or 100s of
similar exceptions as well).

Does mozilla have a built in SSL debugging mechanism, ala verbose logging or the
protocol perhaps. Or can you recommend some Java/C package that would
demonstrate this.

Yes, it truly is strange that no other client product (that I've ever used, app
or API) complains about this. My faith about SSL's strength is slightly
devastated. :)
There is an SSL trace feature in the source, but you have to compile it in.
That is, you have to build your own NSS to get this feature.

The released NSS binaries include a number of useful command line tools,
such as vfyserv, which tells you what it finds in a server's cert chain, and
ssltap, which acts like a proxy server (sort of), and simply reports what goes
by (analyzing the unencrypted portions of the SSL records and messages).
Product: PSM → Core
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.