Last Comment Bug 231775 - NSS error -8101 for Verisign SSL step up certs
: NSS error -8101 for Verisign SSL step up certs
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.9
: All All
: P2 normal (vote)
: 3.10
Assigned To: Nelson Bolyard (seldom reads bugmail)
: Bishakha Banerjee
:
Mentors:
https://gpt.infonet.com
: 185610 231686 252473 253063 290158 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-21 20:39 PST by Nelson Bolyard (seldom reads bugmail)
Modified: 2005-04-13 14:14 PDT (History)
11 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Example cert showing problem. The rest of the chain is also included. (10.60 KB, text/plain)
2004-11-09 08:13 PST, Aaron Spangler
no flags Details
One way to fix it (955 bytes, patch)
2004-11-09 18:24 PST, Aaron Spangler
nelson: review+
Details | Diff | Splinter Review

Description Nelson Bolyard (seldom reads bugmail) 2004-01-21 20:39:08 PST
Verisign issues some SSL server certs with an Extended Key Usage Extension
that contains the Netscape OID for SSL Step Up ("Government Approved"),
but do NOT contian the standard OID for SSL server authentication.  

Communicator 4.x is happy with those sites, but NSS is not. 
NSS gives error -8101, inadequate key usage.  
NSS observes that the Extended key usage extension is present, 
but does not include SSL server authentication, and so concludes 
that the cert is not authorized for SSL server authenticaiton.  

Apparently, C4.x intepreted the SSL Step Up OID as implying SSL server auth,
which is entirely reasonable.  

I don't know when this problem crept into NSS, but we shold fix it.
Comment 1 Nelson Bolyard (seldom reads bugmail) 2004-01-21 20:52:45 PST
Adding other NSS team members to CC list.  
Guys, any idea when this bug crept in?
Comment 2 David :Bienvenu 2004-01-22 08:26:49 PST
*** Bug 231686 has been marked as a duplicate of this bug. ***
Comment 3 Nelson Bolyard (seldom reads bugmail) 2004-07-26 16:42:16 PDT
*** Bug 253063 has been marked as a duplicate of this bug. ***
Comment 4 Nelson Bolyard (seldom reads bugmail) 2004-07-26 20:04:48 PDT
*** Bug 185610 has been marked as a duplicate of this bug. ***
Comment 5 Nelson Bolyard (seldom reads bugmail) 2004-07-26 20:09:57 PDT
Since bug 231686 has been marked as a dup of this bug, this bug does not block it.

Taking this bug.  The real mystery is why this worked in Communicator 4.7.
Comment 6 Aaron Spangler 2004-11-09 08:13:14 PST
Created attachment 165292 [details]
Example cert showing problem.  The rest of the chain is also included.

Here is an example of a certificate with this problem that we recently received
from Verisign.	(Thanks Verisign for not following the standards).

The problem is with the missing x509 usages for sslserver or nssslerver in the
first certificate listed in the attachment.  I included the rest of the
certificate chain so that it could be checked for validity.  Firefox already
has the CA certificate (the last one in the attached chain) loaded.

P.S.
This certificate verifies perfect on IE, Netscape 4.7 and also with 'openssl
-purpose sslserver verify'.
Comment 7 Aaron Spangler 2004-11-09 08:14:21 PST
Oh - and we are having this problem also on some internal websites that Verisign
recently issued certs for.
Comment 8 Aaron Spangler 2004-11-09 18:24:14 PST
Created attachment 165363 [details] [diff] [review]
One way to fix it

I haven't tested this patch, but it should work.  Let me know if someone tests
this.
Comment 9 Josh Birnbaum 2004-11-20 00:12:33 PST
*** Bug 252473 has been marked as a duplicate of this bug. ***
Comment 10 Nelson Bolyard (seldom reads bugmail) 2004-11-28 21:26:17 PST
Aaron, I have tested your patch by applying it to a trunk NSS build 
and running the resultant shared libs with moz 1.8a5.  
I tested against the URL https://gpt.infonet.com which failed with
stock 1.8a5, and succeeded with your patch in place.

I approve your patch, and will apply it to the trunk.  
If you want me to add your name and/or email address to the list of 
contributors for the patched file, please email me (or attach a 
comment here) giving the exact name and/or email address.  Thanks.
Comment 11 Nelson Bolyard (seldom reads bugmail) 2004-11-28 21:27:24 PST
Comment on attachment 165363 [details] [diff] [review]
One way to fix it

r+ for aaron's patch.  The comment in the patch will need a little editing. 
Otherwise, it's AOK.
Comment 12 Nelson Bolyard (seldom reads bugmail) 2004-12-02 14:09:07 PST
Trunk checkin:

/cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v  <--  certdb.c
new revision: 1.71; previous revision: 1.70

Thanks for the contribution Aaron.  You're now an official contributor.
Comment 13 Steve England [:stevee] 2005-04-13 06:02:03 PDT
*** Bug 290158 has been marked as a duplicate of this bug. ***
Comment 14 Aaron Spangler 2005-04-13 10:15:42 PDT
Any Idea when this will get released for Firefox?  I have a lot of sites now I
cannot visit with firefox.
Comment 15 Matthias Versen [:Matti] 2005-04-13 12:51:03 PDT
AFAIK with FF1.1
Comment 16 Nelson Bolyard (seldom reads bugmail) 2005-04-13 14:14:37 PDT
NSS 3.10 Beta 3 is available now for download from ftp.mozilla.org.
You download it, unzip it (on unix/linux you gunzip it), and you copy all 
the .dll (or on unix/linux .so) files into your mozilla/FF/TB directory
(while the programs are NOT running).  You might wanna save backup copies
of the old files first, just in case.

Note You need to log in before you can comment on or make changes to this bug.