Closed Bug 231775 Opened 21 years ago Closed 20 years ago

NSS error -8101 for Verisign SSL step up certs


(NSS :: Libraries, defect, P2)



(Not tracked)



(Reporter: nelson, Assigned: nelson)





(2 files)

Verisign issues some SSL server certs with an Extended Key Usage Extension
that contains the Netscape OID for SSL Step Up ("Government Approved"),
but do NOT contian the standard OID for SSL server authentication.  

Communicator 4.x is happy with those sites, but NSS is not. 
NSS gives error -8101, inadequate key usage.  
NSS observes that the Extended key usage extension is present, 
but does not include SSL server authentication, and so concludes 
that the cert is not authorized for SSL server authenticaiton.  

Apparently, C4.x intepreted the SSL Step Up OID as implying SSL server auth,
which is entirely reasonable.  

I don't know when this problem crept into NSS, but we shold fix it.
Adding other NSS team members to CC list.  
Guys, any idea when this bug crept in?
*** Bug 231686 has been marked as a duplicate of this bug. ***
*** Bug 253063 has been marked as a duplicate of this bug. ***
No longer blocks: 185610
*** Bug 185610 has been marked as a duplicate of this bug. ***
Since bug 231686 has been marked as a dup of this bug, this bug does not block it.

Taking this bug.  The real mystery is why this worked in Communicator 4.7.
Assignee: wchang0222 → nelson
No longer blocks: 231686
Here is an example of a certificate with this problem that we recently received
from Verisign.	(Thanks Verisign for not following the standards).

The problem is with the missing x509 usages for sslserver or nssslerver in the
first certificate listed in the attachment.  I included the rest of the
certificate chain so that it could be checked for validity.  Firefox already
has the CA certificate (the last one in the attached chain) loaded.

This certificate verifies perfect on IE, Netscape 4.7 and also with 'openssl
-purpose sslserver verify'.
Oh - and we are having this problem also on some internal websites that Verisign
recently issued certs for.
I haven't tested this patch, but it should work.  Let me know if someone tests
*** Bug 252473 has been marked as a duplicate of this bug. ***
Aaron, I have tested your patch by applying it to a trunk NSS build 
and running the resultant shared libs with moz 1.8a5.  
I tested against the URL which failed with
stock 1.8a5, and succeeded with your patch in place.

I approve your patch, and will apply it to the trunk.  
If you want me to add your name and/or email address to the list of 
contributors for the patched file, please email me (or attach a 
comment here) giving the exact name and/or email address.  Thanks.
Priority: -- → P2
Target Milestone: --- → 3.10
Comment on attachment 165363 [details] [diff] [review]
One way to fix it

r+ for aaron's patch.  The comment in the patch will need a little editing. 
Otherwise, it's AOK.
Attachment #165363 - Flags: review+
Trunk checkin:

/cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v  <--  certdb.c
new revision: 1.71; previous revision: 1.70

Thanks for the contribution Aaron.  You're now an official contributor.
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 290158 has been marked as a duplicate of this bug. ***
Any Idea when this will get released for Firefox?  I have a lot of sites now I
cannot visit with firefox.
AFAIK with FF1.1
NSS 3.10 Beta 3 is available now for download from
You download it, unzip it (on unix/linux you gunzip it), and you copy all 
the .dll (or on unix/linux .so) files into your mozilla/FF/TB directory
(while the programs are NOT running).  You might wanna save backup copies
of the old files first, just in case.
You need to log in before you can comment on or make changes to this bug.