Verisign issues some SSL server certs with an Extended Key Usage Extension
that contains the Netscape OID for SSL Step Up ("Government Approved"),
but do NOT contian the standard OID for SSL server authentication.
Communicator 4.x is happy with those sites, but NSS is not.
NSS gives error -8101, inadequate key usage.
NSS observes that the Extended key usage extension is present,
but does not include SSL server authentication, and so concludes
that the cert is not authorized for SSL server authenticaiton.
Apparently, C4.x intepreted the SSL Step Up OID as implying SSL server auth,
which is entirely reasonable.
I don't know when this problem crept into NSS, but we shold fix it.
Adding other NSS team members to CC list.
Guys, any idea when this bug crept in?
*** Bug 231686 has been marked as a duplicate of this bug. ***
*** Bug 253063 has been marked as a duplicate of this bug. ***
*** Bug 185610 has been marked as a duplicate of this bug. ***
Since bug 231686 has been marked as a dup of this bug, this bug does not block it.
Taking this bug. The real mystery is why this worked in Communicator 4.7.
Created attachment 165292 [details]
Example cert showing problem. The rest of the chain is also included.
Here is an example of a certificate with this problem that we recently received
from Verisign. (Thanks Verisign for not following the standards).
The problem is with the missing x509 usages for sslserver or nssslerver in the
first certificate listed in the attachment. I included the rest of the
certificate chain so that it could be checked for validity. Firefox already
has the CA certificate (the last one in the attached chain) loaded.
This certificate verifies perfect on IE, Netscape 4.7 and also with 'openssl
-purpose sslserver verify'.
Oh - and we are having this problem also on some internal websites that Verisign
recently issued certs for.
Created attachment 165363 [details] [diff] [review]
One way to fix it
I haven't tested this patch, but it should work. Let me know if someone tests
*** Bug 252473 has been marked as a duplicate of this bug. ***
Aaron, I have tested your patch by applying it to a trunk NSS build
and running the resultant shared libs with moz 1.8a5.
I tested against the URL https://gpt.infonet.com which failed with
stock 1.8a5, and succeeded with your patch in place.
I approve your patch, and will apply it to the trunk.
If you want me to add your name and/or email address to the list of
contributors for the patched file, please email me (or attach a
comment here) giving the exact name and/or email address. Thanks.
Comment on attachment 165363 [details] [diff] [review]
One way to fix it
r+ for aaron's patch. The comment in the patch will need a little editing.
Otherwise, it's AOK.
/cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v <-- certdb.c
new revision: 1.71; previous revision: 1.70
Thanks for the contribution Aaron. You're now an official contributor.
*** Bug 290158 has been marked as a duplicate of this bug. ***
Any Idea when this will get released for Firefox? I have a lot of sites now I
cannot visit with firefox.
AFAIK with FF1.1
NSS 3.10 Beta 3 is available now for download from ftp.mozilla.org.
You download it, unzip it (on unix/linux you gunzip it), and you copy all
the .dll (or on unix/linux .so) files into your mozilla/FF/TB directory
(while the programs are NOT running). You might wanna save backup copies
of the old files first, just in case.