User-Agent: Nutscrape/1.0 (CP/M; 8-bit) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a3) Gecko/20040719 Mozilla after version 1.5 doesn't work with server-side SSL certificates with key 2048 bits correctly. When I import self-signed CA certificate generated with DSA (key 2048 bits), it display in Certificate Viewer only "Status Responder Certificate" in uses instead of "SSL Client Certificate","SSL Server Certificate","Email Signer Certificate","Email Recipient Certificate","SSL Certificate Authority","Status Responder Certificate". When I try to connect to web site with SSL certificate with DSA 2048 bits key or only signed by CA with DSA 2048 bits key, message box arrives with text: "Could not establish an encrypted connection becouse certificate presented by XXX is invalid or corrupted. Error Code: -8152. This bug have versions: 1.6, 1.7, and 1.8a3 (build 20040719). Mozilla 1.5, IE, links handles it without troubles. Reproducible: Always Steps to Reproduce: 1. Generate self-signed CA sh$ openssl dsaparam -out dsaparam 2048 sh$ openssl gendsa -des3 -out myca.key dsaparam sh$ openssl req -new -x509 -key myca.key -out myca.crt 2. Generate www server certificate sh$ openssl dsaparam -out dsaparam 2048 sh$ openssl gendsa -out www.key dsaparam sh$ openssl req -new -key www.key -out www.csr sh$ openssl ca -in www.csr -out www.crt 3. Instal CA certificate myca.crt to Mozilla 4. View your certificate status in "Certificate Manager" (click View) -> Certificate Viewer 5. Try access https://machine/ where machine is used www.key and www.crt (you can ship steps 3 and 4 - it doesn't matter) Actual Results: You can see only "Status Responder Certificate" instead of full list of uses (see Details) after step 4. Message box arraives with Error Code: -8152 after step 5. Expected Results: It may write full list of uses (see Details) after step 4. It may access https:// web site after step 5. I have PC Athlon 1200, windows 2000 Prof. SP 4. I'm not sure in which part (PSM client library od Daemon) the bug is.
Error -8152 is invalid key. Mozilla now does tighter key validity checks than it formerly did, and has found numerous invalid keys in various certs. Seems some other products (including older versions of Mozilla) don't check keys for validity very well before using them. If the certs in question were attached to this bug, we could point out exactly what mozilla is unhappy about, but they're not. Marking this bug invalid. If you can attach the relevant certs to this bug, we could tell you more.