Self-signed DSA cert untrusted for SSL servers



Core Graveyard
Security: UI
14 years ago
a year ago


(Reporter: Ludek Finstrle, Assigned: kaie)


Other Branch
Windows 2000

Firefox Tracking Flags

(Not tracked)





14 years ago
User-Agent:       Nutscrape/1.0 (CP/M; 8-bit)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a3) Gecko/20040719

Mozilla after version 1.5 doesn't work with server-side SSL certificates with
key 2048 bits correctly.
When I import self-signed CA certificate generated with DSA (key 2048 bits), it
display in Certificate Viewer only "Status Responder Certificate" in uses
instead of "SSL Client Certificate","SSL Server Certificate","Email Signer
Certificate","Email Recipient Certificate","SSL Certificate Authority","Status
Responder Certificate". 
When I try to connect to web site with SSL certificate with DSA 2048 bits key or
only signed by CA with DSA 2048 bits key, message box arrives with text: "Could
not establish an encrypted connection becouse certificate presented by XXX is
invalid or corrupted. Error Code: -8152.
This bug have versions: 1.6, 1.7, and 1.8a3 (build 20040719).
Mozilla 1.5, IE, links handles it without troubles.

Reproducible: Always
Steps to Reproduce:
1. Generate self-signed CA
   sh$ openssl dsaparam -out dsaparam 2048
   sh$ openssl gendsa -des3 -out myca.key dsaparam
   sh$ openssl req -new -x509 -key myca.key -out myca.crt
2. Generate www server certificate
   sh$ openssl dsaparam -out dsaparam 2048
   sh$ openssl gendsa -out www.key dsaparam
   sh$ openssl req -new -key www.key -out www.csr
   sh$ openssl ca -in www.csr -out www.crt
3. Instal CA certificate myca.crt to Mozilla
4. View your certificate status in "Certificate Manager" (click View) ->
Certificate Viewer
5. Try access https://machine/ where machine is used www.key and www.crt
   (you can ship steps 3 and 4 - it doesn't matter)
Actual Results:  
You can see only "Status Responder Certificate" instead of full list of uses
(see Details) after step 4.
Message box arraives with Error Code: -8152 after step 5.

Expected Results:  
It may write full list of uses (see Details) after step 4.
It may access https:// web site after step 5.

I have PC Athlon 1200, windows 2000 Prof. SP 4.
I'm not sure in which part (PSM client library od Daemon) the bug is.
Error -8152 is invalid key.  Mozilla now does tighter key validity checks
than it formerly did, and has found numerous invalid keys in various certs.
Seems some other products (including older versions of Mozilla) don't check
keys for validity very well before using them.  
If the certs in question were attached to this bug, we could point out 
exactly what mozilla is unhappy about, but they're not.  

Marking this bug invalid.  If you can attach the relevant certs to this bug,
we could tell you more.
Last Resolved: 14 years ago
Resolution: --- → INVALID
Summary: SSL key length 2048 bits → Self-signed DSA cert untrusted for SSL servers


13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.