Closed Bug 287555 Opened 20 years ago Closed 20 years ago

Cert not accepted from www.ultimatix.net, Error Code: --8102

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: webmaster, Assigned: wtc)

References

(
URL
)

Details

Attachments

(4 files)

Ultimatix certificate Imported as a CA
25.88 KB, image/png
Details
Certificate Details as displayed by 'Opera'
2.97 KB, text/plain
Details
The message that Opera gives when it receives the cert from ultimatix.
18.27 KB, image/png
Details
The message that IE6 gives when it receives the cert from ultimatix.
11.33 KB, image/png
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050323 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050323 Firefox/1.0+

The certificate presented by https://www.ultimatix.net is a self-signed
certificate. Firefox does not accept this certificate while Internet Explorer
does. Firefox instead gives the following error message:

Could not establish an encrypted connection because certificate presented by
www.ultimatix.net is invalid ot corrupted. Error Code: -8102

A similar kind of bug to do with error code: -8101 for site 
https://gpt.infonet.com was reported under BUG ID: 231775. I am using the latest
nightly build - 20050323 of FF which fixes this bug. I presume this patch will
officially be released under version 1.03

The certificate from https://www.ultimatix.net contains the following OIDs in
the extended key usage:

Secure Email (1.3.6.1.5.5.7.3.4)           << id_kp_emailProtection
Server Authentication (1.3.6.1.5.5.7.3.1)  << id_kp_serverAuth
Unknown Key Usage (1.3.6.1.4.1.311.10.3.3) << Microsoft Server Gated Crypto (msSGC)
Unknown Key Usage (2.16.840.1.113730.4.1)  << Netscape Server Gated Crypto (nsSGC)

I get a feeling that this problem I am reporting is similar to bug id: 231775,
but however has not been fixed by the patch for it.

I cannot analyse further than this and so please let me know what's going wrong?
is it Firefox or is it the certificate? Please check the URL with IE. IE gives a
warning and lets users proceed.

This is the only URL because of which I am forced to use IE. Please fix it so I
do not ever have to go back to it.

Reproducible: Always

Steps to Reproduce:
1. Goto URL https://www.ultimatix.net
2. You get the error message with code: -8102
3. Problem replicated

Actual Results:  
I get the error message: -8102

Expected Results:  
The page should open presenting a login box.
This was always a problem right from Firefox version 0.9 that I know of, so this
problem has not been introduced by any fixes. Just thought it would help.
(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
Gecko/20050323 Firefox/1.0+
> Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
Gecko/20050323 Firefox/1.0+
> 
> The certificate presented by https://www.ultimatix.net is a self-signed
> certificate. Firefox does not accept this certificate while Internet Explorer
> does. Firefox instead gives the following error message:
> 
> Could not establish an encrypted connection because certificate presented by
> www.ultimatix.net is invalid ot corrupted. Error Code: -8102
> 
> A similar kind of bug to do with error code: -8101 for site 
> https://gpt.infonet.com was reported under BUG ID: 231775. I am using the latest
> nightly build - 20050323 of FF which fixes this bug. I presume this patch will
> officially be released under version 1.03
> 
> The certificate from https://www.ultimatix.net contains the following OIDs in
> the extended key usage:
> 
> Secure Email (1.3.6.1.5.5.7.3.4)           << id_kp_emailProtection
> Server Authentication (1.3.6.1.5.5.7.3.1)  << id_kp_serverAuth
> Unknown Key Usage (1.3.6.1.4.1.311.10.3.3) << Microsoft Server Gated Crypto
(msSGC)
> Unknown Key Usage (2.16.840.1.113730.4.1)  << Netscape Server Gated Crypto (nsSGC)
> 
> I get a feeling that this problem I am reporting is similar to bug id: 231775,
> but however has not been fixed by the patch for it.
> 
> I cannot analyse further than this and so please let me know what's going wrong?
> is it Firefox or is it the certificate? Please check the URL with IE. IE gives a
> warning and lets users proceed.
> 
> This is the only URL because of which I am forced to use IE. Please fix it so I
> do not ever have to go back to it.
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1. Goto URL https://www.ultimatix.net
> 2. You get the error message with code: -8102
> 3. Problem replicated
> 
> Actual Results:  
> I get the error message: -8102
> 
> Expected Results:  
> The page should open presenting a login box.


Self-signed certificates *are* invalid under the PKI trust model, the error
message is correct. This is nothing like error -8101 in bug 231775 which
involved not handling certain extensions of --valid-- certificates.

IE does *NOT* "accept" this cert. It too warns of the error, but foolishly
allows naive users to accept it anyway far too easily. If users want to
explicitly break the PKI model by installing a self-signed root cert they can
certainly import it.

Certs can be gotten cheap, ultimatix should just go get one.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID

    
    

    
  
Hello Daniel. So the problem is with teh certificate but I can't get the
workaround mentioned by you to work for me.

WORKAROUND
----------
"If users want to explicitly break the PKI model by installing a self-signed
root cert they can certainly import it."

I tried this, it does not work. I tried importing only under 'Websites' and then
deleting it adn importing it under 'Authorities' with explicitly given it the
authority to identify websites, mail users & software makers.

*Please see attachment*

I still get the -8102 error.

What I am I doing wrong? or is it even possible in FF currently to get this site
work unless they get a certificate from a valid CA?
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---

    
    

    
  
-8102 is SEC_ERROR_INADEQUATE_KEY_USAGE, looks like either the approrpiate CA
bits aren't turned on, or perhaps the SSL usage bits aren't turned on.

http://lxr.mozilla.org/mozilla/search?string=ERROR_INADEQUATE_KEY_USAGE

What did you use to create the cert?
Assignee: dveditz → wtchang
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → bishakhabanerjee
Summary: Firefox does not accept the certificate presented by https://www.ultimatix.net. Error Code: --8102 → Cert not accepted  from www.ultimatix.net, Error Code: --8102

    
    

    
  
Daniel, I did not create the cert. 

Ultimatix is my company internal-use-only employee portal.

I'll ask the responsible people and get back to you on your query - "How the
cert was created?"

This will take some time. Let's keep this on-hold till I get back.



    
    

    
  
Back with some information which may or may not help. I believe more information
is always good. I checked with all mozilla based browsers - FF, Mozilla &
Netscape. All give the same meaningless -8102 message. I believe FF should
improve on this. This is for later.

However 'Opera' clearly explained what the problem was. The message read;
<OPERA>
The server's certificate chain is incomplete, and the signer(s) are not
registered. Accept?

- The certificate for "www.ultimatix.net" is signed by the unknown Certificate
Authority "TCS CIO". It is not possible to verify that this is a valid certificate
</OPERA>

*Please see attachments*

Am also attaching the cert details as given by Opera.

I'll however get back with the 'How was the cert created' question.

    
    

    
  


  
Both IE & Opera allow me to proceed further after giving the security warning.
I can understand that IE is full of security problems, but Opera is a respected
browser. Is there a way around in Firefox to proceed?

    
    

    
  
Error -8102 is documented at 
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1038096
It tells us that the certificate's key usage is the problem.
As shown in one of the above attachments, the cert's key usage is:
X509v3 Key Usage: Digital Signature, Non Repudiation

RFC 2246 says:

   When a key usage extension is
   present, the digitalSignature bit must be set for the key to be
   eligible for signing, as described above, and the keyEncipherment bit
   must be present to allow encryption, as described above.

The server is selecting an RSA ciphersuite, and so the keyEncipherment 
bit must be set to allow key encryption, as described above. 
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: