Closed
Bug 231775
Opened 21 years ago
Closed 20 years ago
NSS error -8101 for Verisign SSL step up certs
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.10
People
(Reporter: nelson, Assigned: nelson)
References
()
Details
Attachments
(2 files)
10.60 KB,
text/plain
|
Details | |
955 bytes,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
Verisign issues some SSL server certs with an Extended Key Usage Extension
that contains the Netscape OID for SSL Step Up ("Government Approved"),
but do NOT contian the standard OID for SSL server authentication.
Communicator 4.x is happy with those sites, but NSS is not.
NSS gives error -8101, inadequate key usage.
NSS observes that the Extended key usage extension is present,
but does not include SSL server authentication, and so concludes
that the cert is not authorized for SSL server authenticaiton.
Apparently, C4.x intepreted the SSL Step Up OID as implying SSL server auth,
which is entirely reasonable.
I don't know when this problem crept into NSS, but we shold fix it.
Assignee | ||
Comment 1•21 years ago
|
||
Adding other NSS team members to CC list.
Guys, any idea when this bug crept in?
Comment 2•21 years ago
|
||
*** Bug 231686 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 3•20 years ago
|
||
*** Bug 253063 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 4•20 years ago
|
||
*** Bug 185610 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 5•20 years ago
|
||
Since bug 231686 has been marked as a dup of this bug, this bug does not block it.
Taking this bug. The real mystery is why this worked in Communicator 4.7.
Assignee: wchang0222 → nelson
No longer blocks: 231686
Comment 6•20 years ago
|
||
Here is an example of a certificate with this problem that we recently received
from Verisign. (Thanks Verisign for not following the standards).
The problem is with the missing x509 usages for sslserver or nssslerver in the
first certificate listed in the attachment. I included the rest of the
certificate chain so that it could be checked for validity. Firefox already
has the CA certificate (the last one in the attached chain) loaded.
P.S.
This certificate verifies perfect on IE, Netscape 4.7 and also with 'openssl
-purpose sslserver verify'.
Comment 7•20 years ago
|
||
Oh - and we are having this problem also on some internal websites that Verisign
recently issued certs for.
Comment 8•20 years ago
|
||
I haven't tested this patch, but it should work. Let me know if someone tests
this.
Comment 9•20 years ago
|
||
*** Bug 252473 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 10•20 years ago
|
||
Aaron, I have tested your patch by applying it to a trunk NSS build
and running the resultant shared libs with moz 1.8a5.
I tested against the URL https://gpt.infonet.com which failed with
stock 1.8a5, and succeeded with your patch in place.
I approve your patch, and will apply it to the trunk.
If you want me to add your name and/or email address to the list of
contributors for the patched file, please email me (or attach a
comment here) giving the exact name and/or email address. Thanks.
Assignee | ||
Comment 11•20 years ago
|
||
Comment on attachment 165363 [details] [diff] [review]
One way to fix it
r+ for aaron's patch. The comment in the patch will need a little editing.
Otherwise, it's AOK.
Attachment #165363 -
Flags: review+
Assignee | ||
Comment 12•20 years ago
|
||
Trunk checkin:
/cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v <-- certdb.c
new revision: 1.71; previous revision: 1.70
Thanks for the contribution Aaron. You're now an official contributor.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 13•20 years ago
|
||
*** Bug 290158 has been marked as a duplicate of this bug. ***
Comment 14•20 years ago
|
||
Any Idea when this will get released for Firefox? I have a lot of sites now I
cannot visit with firefox.
Comment 15•20 years ago
|
||
AFAIK with FF1.1
Assignee | ||
Comment 16•20 years ago
|
||
NSS 3.10 Beta 3 is available now for download from ftp.mozilla.org.
You download it, unzip it (on unix/linux you gunzip it), and you copy all
the .dll (or on unix/linux .so) files into your mozilla/FF/TB directory
(while the programs are NOT running). You might wanna save backup copies
of the old files first, just in case.
You need to log in
before you can comment on or make changes to this bug.
Description
•