Closed Bug 261003 Opened 20 years ago Closed 18 years ago

Does not import CRL (Error Code: ffffe00b)

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: attila.bognar, Assigned: KaiE)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10

Firefox does not import a CRL that mozilla imports without any problem.
The message displayed:

The browser cannot import the Certification Revocation List (CRL).
Error importing CRL to local Database. Error Code:ffffe00b.
Please ask your system administrator for assistance.

Reproducible: Always
Steps to Reproduce:
1. create a CRL with openssl
2. publish it on a website
3. try to download it

Actual Results:  
a message dialog popped up:
The browser cannot import the Certification Revocation List (CRL).
Error importing CRL to local Database. Error Code:ffffe00b.
Please ask your system administrator for assistance.

Expected Results:  
Import the CRL in the CRL list like mozilla, appear in the list of CRLs imported.


Mozilla imported it with no problem.
Attila, which version of Mozilla is working?  Both use the same code for crypto.
'ffffe00b' is the unsigned int represention of the 16 bit '-1FF5' signed integer
value.
In decimal encoding, that's -8 181.

Once you caculated that you can go to this page : NSS and SSL Error Codes
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1038501

And see that error -8 181 is :
SEC_ERROR_EXPIRED_CERTIFICATE -8181 Peer's certificate has expired.

So when you imported in mozilla, the CA cert used to check the crl was valid,
but one used with Firefox was expired.

The way this dialog reports errors really sucks.
Component: Preferences → Security: PSM
Product: Firefox → Core
Version: unspecified → Trunk
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → EXPIRED
Status: RESOLVED → UNCONFIRMED
Resolution: EXPIRED → ---
Assignee: bross2 → kengert
QA Contact: mconnor
There are 1000 ways to do things wrong with OpenSSL (or any do-it-yourself 
program for issuing certs and CRLs).  Every time someone does it wrong,
and PSM or NSS detects it, they file a bug against PSM, as if NSS or PSM
was the problem.  It's as if NSS/PSM has an obligation to diagnose all
the troubles every openssl user brings on himself.  

Some time ago, we decided we were no longer in the business of diagnosing
the troubles of OpenSSL users.  NSS exists to work with certificates 
produced in a professional competent manner, by real certificate 
authorities.  

This error code is due to an expired cert or CRL.  
Don't reopen this.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago18 years ago
Resolution: --- → INVALID
> NSS exists to work with certificates 
> produced in a professional competent manner, by real certificate 
> authorities.
It would be too beautiful if the above were true - "real CAs" produce among others legally binding certificates as per RFE bug 277797 according to approved RFCs, but even 18 months after the RFE was posted, NSS is still clueless  :(

While I certainly agree that it is not NSS's mission to "solve the world hunger", due to the immaturity of the field (including the professional CAs), we won't get anywhere if we do not honour people who take the initiative themselves and start their journey with openssl and alike. Not improving lousy error messages and arrogantly not providing the insight we could ("expired cert or CRL") is doing a disservice to anyone who believes that more online security and "informational self-determination" is a worthwhile goal.
You need to log in before you can comment on or make changes to this bug.