Closed
Bug 224844
Opened 21 years ago
Closed 21 years ago
New Verisign SSL Step-up cert causes error -8101
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 171279
People
(Reporter: qgonjon, Assigned: wtc)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030702 Debian/1.3-4.lindows41
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030702 Debian/1.3-4.lindows41
In the page at https://qcc.iwr.cuny.edu, a message appears, "Could not establish
a secure connection because certificate presented by qcc.iwr.cuny.edu is invalid
or corrupted. Error Code: -8101"
Reproducible: Always
Steps to Reproduce:
1.type the following URL: https://qcc.iwr.cuny.edu
2.
3.
Actual Results:
An error message will appear and your only option is to click OK. However, you
can't access the site.
Expected Results:
Provided access to the secure site without any errors.
|
||
Comment 1•21 years ago
|
||
.
Assignee: security-bugs → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: bmartin
Version: Trunk → 2.4
|
Reporter | |
Comment 2•21 years ago
|
||
I have tried all flavors of Mozilla and the SSL error pops up. However, the
website does not have any problems with netscape, I.E., or konqueror.
|
|
Reporter | |
Comment 3•21 years ago
|
||
The qcc.iwr.cuny.edu website started having problems when a new SSL certificate
was put in place on November 4th, 2003 by Verisign. Is it possible that Verisign
is no longer compatible with Mozilla?? I hope not.
|
Assignee | |
Comment 4•21 years ago
|
||
Error code -8101 is SEC_ERROR_INADEQUATE_CERT_TYPE:
Certificate type not approved for application.
(NSS's error code tables are at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html.)
|
|
Assignee | |
Updated•21 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Reporter | |
Comment 6•21 years ago
|
||
Hi,
I would like to know if this issue will take a long time to resolve. According
to what I read it appears that Mozilla does not support the new Verisign SSL
certificate. However, other browers have no problem accepting Verisign's SSL
certificate. Will this take Mozilla a long time to resolve???
Thanks,
Quincin Gonjon
|
||
Comment 7•21 years ago
|
||
The server's cert chain has not been attached to this bug report.
The cited https server is refusing connections, so the cert chain cannot
be obtained from it. Without the server's cert chain, there is no way this bug
report can be analyzed.
Without the cert chain, I can only conjecture as follows:
It is very likely that the new cert simply has the wrong cert extensions in it.
This kind of thing happens from time to time, and the solution is typically
to get a cert with the right extensions.
Please reopen this bug when the server is up and/or the server's complete
cert chain has been attached to this bug.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 8•21 years ago
|
||
Nelson Bolyard,
Thank you for your explaination. However, why doesn't this affect other
browsers? I need to explain this to my director in the organization. He is
wondering why I.E. is not experiencing the same issue. I was also successful
using Netscape as well as the KDE Konqueror browser. Are these browser insecure
by not checking the cert chain?
Thanks for any help on this,
Quincin Gonjon
|
|
||
Comment 9•21 years ago
|
||
The server cited in this bug is back online, and now I can see what's wrong
with the certificate. I am reopening this bug, so that it can be marked as
a duplicate of another.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
||
Comment 10•21 years ago
|
||
See http://bugzilla.mozilla.org/show_bug.cgi?id=171279#c1 for more info.
This server's cert has an Extended Key Usage extension, which says this
cert is usable for international use, but does NOT say that it is usable
as an SSL server.
Specifically, your cert's Extended Key Usage extension contains OID
SSL Step Up (2 16 840 1 113730 4 1) (Netscape)
but does not contain OID
serverAuth (1 3 6 1 5 5 7 3 1) (PKIX key purpose)
In effect, this extension explicitly says that this cert is NOT valid
for server authentication. AFAIK, no standards compliant client should
authenticate a server with that particular cert extension in it.
IMO, your choices are to eliminate the Extended Key Usage extension
entirely or add the serverAuth key purpose OID in it also.
*** This bug has been marked as a duplicate of 171279 ***
Status: REOPENED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 11•21 years ago
|
||
Changing bug summary to reflect actual bug diagnosis.
Summary: Browser does not recognize SSL certificate → New Verisign SSL Step-up cert causes error -8101
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•