Note: There are a few cases of duplicates in user autocompletion which are being worked on.

NSS error -8101 for Verisign SSL step up certs

RESOLVED FIXED in 3.10

Status

NSS
Libraries
P2
normal
RESOLVED FIXED
14 years ago
12 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

Verisign issues some SSL server certs with an Extended Key Usage Extension
that contains the Netscape OID for SSL Step Up ("Government Approved"),
but do NOT contian the standard OID for SSL server authentication.  

Communicator 4.x is happy with those sites, but NSS is not. 
NSS gives error -8101, inadequate key usage.  
NSS observes that the Extended key usage extension is present, 
but does not include SSL server authentication, and so concludes 
that the cert is not authorized for SSL server authenticaiton.  

Apparently, C4.x intepreted the SSL Step Up OID as implying SSL server auth,
which is entirely reasonable.  

I don't know when this problem crept into NSS, but we shold fix it.
(Assignee)

Comment 1

14 years ago
Adding other NSS team members to CC list.  
Guys, any idea when this bug crept in?

Comment 2

14 years ago
*** Bug 231686 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 3

13 years ago
*** Bug 253063 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

13 years ago
No longer blocks: 185610
(Assignee)

Comment 4

13 years ago
*** Bug 185610 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 5

13 years ago
Since bug 231686 has been marked as a dup of this bug, this bug does not block it.

Taking this bug.  The real mystery is why this worked in Communicator 4.7.
Assignee: wchang0222 → nelson
No longer blocks: 231686

Comment 6

13 years ago
Created attachment 165292 [details]
Example cert showing problem.  The rest of the chain is also included.

Here is an example of a certificate with this problem that we recently received
from Verisign.	(Thanks Verisign for not following the standards).

The problem is with the missing x509 usages for sslserver or nssslerver in the
first certificate listed in the attachment.  I included the rest of the
certificate chain so that it could be checked for validity.  Firefox already
has the CA certificate (the last one in the attached chain) loaded.

P.S.
This certificate verifies perfect on IE, Netscape 4.7 and also with 'openssl
-purpose sslserver verify'.

Comment 7

13 years ago
Oh - and we are having this problem also on some internal websites that Verisign
recently issued certs for.

Comment 8

13 years ago
Created attachment 165363 [details] [diff] [review]
One way to fix it

I haven't tested this patch, but it should work.  Let me know if someone tests
this.

Comment 9

13 years ago
*** Bug 252473 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 10

13 years ago
Aaron, I have tested your patch by applying it to a trunk NSS build 
and running the resultant shared libs with moz 1.8a5.  
I tested against the URL https://gpt.infonet.com which failed with
stock 1.8a5, and succeeded with your patch in place.

I approve your patch, and will apply it to the trunk.  
If you want me to add your name and/or email address to the list of 
contributors for the patched file, please email me (or attach a 
comment here) giving the exact name and/or email address.  Thanks.
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → 3.10
(Assignee)

Comment 11

13 years ago
Comment on attachment 165363 [details] [diff] [review]
One way to fix it

r+ for aaron's patch.  The comment in the patch will need a little editing. 
Otherwise, it's AOK.
Attachment #165363 - Flags: review+
(Assignee)

Comment 12

13 years ago
Trunk checkin:

/cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v  <--  certdb.c
new revision: 1.71; previous revision: 1.70

Thanks for the contribution Aaron.  You're now an official contributor.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
*** Bug 290158 has been marked as a duplicate of this bug. ***

Comment 14

12 years ago
Any Idea when this will get released for Firefox?  I have a lot of sites now I
cannot visit with firefox.
AFAIK with FF1.1
(Assignee)

Comment 16

12 years ago
NSS 3.10 Beta 3 is available now for download from ftp.mozilla.org.
You download it, unzip it (on unix/linux you gunzip it), and you copy all 
the .dll (or on unix/linux .so) files into your mozilla/FF/TB directory
(while the programs are NOT running).  You might wanna save backup copies
of the old files first, just in case.
You need to log in before you can comment on or make changes to this bug.