Closed Bug 225159 Opened 21 years ago Closed 21 years ago

Error -8183 with www.sslhost.com

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: incze, Assigned: KaiE)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703
Build Identifier: mozilla-win32-1.5 latest (and before)

When encountering a bad certificate in some cases the client will display an 
error message instead of prompting the user. When the error is displayed the
connection will always fail and the user have to restart the browser to be able
to connect to the site with the questionable certificate. The message displayed is:

Error establishing an encrypted connection to www.sslhost.com. Error Code: -8183.

I'm aware of some issues in the bugtraq base wich seems to be related to this
error, e.g. <a href="http://bugzilla.mozilla.org/show_bug.cgi?id=124901">Issue
#124901</a> (see comment #15). But my experience is different. In my case, at
the 1st connection an alarm dialog allways pops up, and you can set up the
connection after okeying it. This error message pops up randomly during a long
ssl session, probably when the browser tries to reconnect for some reason, or
tries to open a new connection to the same place in a new window, etc.

The certificate of the sever is known to be bad (domain name mismatch).

I've seen a very similar report in the advisory <a
href="http://netscape.intelligent.net/redisa/ssl_spoof.html">SSL Spoofing
Vulnerability in SSL Client Applications</a>.

Reproducible: Couldn't Reproduce

Steps to Reproduce:
1.
2.
3.

Actual Results:  
Error establishing an encrypted connection to www.sslhost.com. Error Code: -8183.

Expected Results:  
Security error: Domain Name Mismatch

dialog box (OK, cancl, help, view certificate)
I can also confirm this. First, visit https://test.breezeway.tv (cert name
mismatch) and accept the cert error, then try to visit https://www.breezeway.tv .

This broke sometime after 1.5... For severity I would rate this HIGH, becasue it
diminishes the user experience for perfectly valid sites after visiting one bad
one -- and it was working before.
j.Ruchatz@altendorf.de experienced that bug
"Error establishing an encrypted connection to login.passport.com.
Error Code: -5985." when logging in to Microsoft's .NET . 
Mozilla Ver 1.6a, OS = Win XP. MS Explorer was successful on the same PC.
Still broken on 11 dec 2003 build.......
I think this bug should be raised to a critical level - if it makes into the 1.6
(which is now BETA!) then a release version would be heavily broken... As it
stands its still unconfirmed! Can the bug author chnage its severity?
*** Bug 228380 has been marked as a duplicate of this bug. ***
When a bug is assigned to the wrong component, it is not likely to be noticed
by the right people.  Changing to component PSM.  It may later be changed to NSS.
Component: Security: General → Client Library
Product: Browser → PSM
Version: Trunk → unspecified
Assignee: security-bugs → kaie
QA Contact: bmartin
This bug began as a report of error -8183 when visiting https://www.sslhost.com/
The complaint was that mozilla does not give the user the chance to override
the error and continue.  More about that below.

Comments 1-5 seem to be about different error codes at different sites,
and I believe those issues have now all been resolved in bug 191845.
But they are definitely different problems, not the same as -8183.
Please take any further discussion of those issues to bug 191845.

Error -8183 (documented at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1037299 )
means that the cert was improperly formatted.  because of that problem, 
Mozilla cannot parse it and extract the public key from it.  Without the 
server's public key, there is NO WAY that mozilla (or any https client) can
succesfully communicate with the server.  So, the request to allow the user to
bypass error -8183 is invalid, and this bug will be resolved as such.

Perhaps the reporter meant some other error code.  The reporter also 
describes a name mismatch, which is not error -8183.  Reporter, if you want
to ammend your original statement and cite a different error code, you may
reopen this bug.
URL: https://www.sslhost.com/
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Summary: Error establishing an encrypted connection to www.sslhost.com. Error Code: -8183. → Error -8183 with www.sslhost.com
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.