User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Firefox does not import a CRL that mozilla imports without any problem. The message displayed: The browser cannot import the Certification Revocation List (CRL). Error importing CRL to local Database. Error Code:ffffe00b. Please ask your system administrator for assistance. Reproducible: Always Steps to Reproduce: 1. create a CRL with openssl 2. publish it on a website 3. try to download it Actual Results: a message dialog popped up: The browser cannot import the Certification Revocation List (CRL). Error importing CRL to local Database. Error Code:ffffe00b. Please ask your system administrator for assistance. Expected Results: Import the CRL in the CRL list like mozilla, appear in the list of CRLs imported. Mozilla imported it with no problem.
Attila, which version of Mozilla is working? Both use the same code for crypto.
'ffffe00b' is the unsigned int represention of the 16 bit '-1FF5' signed integer value. In decimal encoding, that's -8 181. Once you caculated that you can go to this page : NSS and SSL Error Codes http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1038501 And see that error -8 181 is : SEC_ERROR_EXPIRED_CERTIFICATE -8181 Peer's certificate has expired. So when you imported in mozilla, the CA cert used to check the crl was valid, but one used with Firefox was expired. The way this dialog reports errors really sucks.
Component: Preferences → Security: PSM
Product: Firefox → Core
Version: unspecified → Trunk
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
This bug has been automatically resolved after a period of inactivity (see above comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → EXPIRED
There are 1000 ways to do things wrong with OpenSSL (or any do-it-yourself program for issuing certs and CRLs). Every time someone does it wrong, and PSM or NSS detects it, they file a bug against PSM, as if NSS or PSM was the problem. It's as if NSS/PSM has an obligation to diagnose all the troubles every openssl user brings on himself. Some time ago, we decided we were no longer in the business of diagnosing the troubles of OpenSSL users. NSS exists to work with certificates produced in a professional competent manner, by real certificate authorities. This error code is due to an expired cert or CRL. Don't reopen this.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago → 13 years ago
Resolution: --- → INVALID
> NSS exists to work with certificates > produced in a professional competent manner, by real certificate > authorities. It would be too beautiful if the above were true - "real CAs" produce among others legally binding certificates as per RFE bug 277797 according to approved RFCs, but even 18 months after the RFE was posted, NSS is still clueless :( While I certainly agree that it is not NSS's mission to "solve the world hunger", due to the immaturity of the field (including the professional CAs), we won't get anywhere if we do not honour people who take the initiative themselves and start their journey with openssl and alike. Not improving lousy error messages and arrogantly not providing the insight we could ("expired cert or CRL") is doing a disservice to anyone who believes that more online security and "informational self-determination" is a worthwhile goal.
You need to log in before you can comment on or make changes to this bug.