197450 - Invalid certificate message for valid certificate

Status: VERIFIED INVALID

(Core Graveyard :: Security: UI, defect)

Description

[Michael Dinowitz]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

A new certificate from verisign was just installed and registers as legal on IE.
Mozilla 1.3 throws an -8101 error every time. No changes to the webserver will
cause it to work.
Url is:
https://secure.lotauctions.com/index.html

Reproducible: Always

Steps to Reproduce:
1.go to https://secure.lotauctions.com/index.html
2. see the error message
3.
Actual Results:  
error message on each request

Expected Results:  
a secure html page

works on IE

Comment 1

[Matthias Versen [:Matti]]

-> PSM

Comment 2

[Mikael Parknert]

c also bugs 185610, 196390

Comment 3

[Michael Dinowitz]

This is the response from Bob Denny, author of Website:
Yes, this is something I have seen. The cert does not have in its X.509V3
permission the authorized key usage needed for it to be used for "server
authentication". IE will accept a server cert that is not permitted to be a
server cert. Mozilla will (properly) refuse to accept it. The archaeological
Netscape 4 and all versions of Opera will also ignore the X.509V3 AKI info
and accept a cert that is not permitted to be used for server
authentication. The problem is in the cert. I've been over this ad nauseum,
but the issuer is apparently clueless.
It appears that Mozilla is being more strict with certificates than IE is.

Comment 4

[John Unruh]

Verified.