Closed
Bug 288713
Opened 19 years ago
Closed 19 years ago
moz 1.4.1 cannot decode certs made by NSS 3.10 Beta 1
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: nelson, Assigned: neil.williams)
Details
I am running a selfserv server using a cert chain built by all.sh for NSS 3.10 Beta. When I visit this server with mozilla 1.8b (built several weeks ago), it works fine. When I visit it with mozilla 1.4.1 or Netscape 7.1, those browsers show error -8183, which is SEC_ERROR_BAD_DER. Julien's testing shows that no version of NSS older than 3.9 can decode these certs. So, the questions are: a) are we building invalid certs now? or are we building valid certs that older browsers simply cannot parse (due to a bug fixed in 3.9, perhaps)? b) what characteristic of the new certs renders them unparsable by older NSS versions? Julien suspects it is the use of Generalized Time. This is potentially a P1 release stopper for Sun, since some customers use NSS (via certutil) to generate self-issued certs for their intranet servers.
Updated•19 years ago
|
OS: Windows XP → All
Hardware: PC → All
Reporter | ||
Comment 1•19 years ago
|
||
Julien is diagnosing this at the moment. Leaving unconfirmed until we know the exact cause.
Priority: -- → P1
Target Milestone: --- → 3.10
Comment 2•19 years ago
|
||
all.sh creates a CA cert 50 years in the future, in order to test the GeneralizedTime encoding. Thus, any browser using NSS older than 3.9 will fail to decode the CA cert generated by all.sh.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Priority: P1 → --
Resolution: --- → INVALID
Target Milestone: 3.10 → ---
Reporter | ||
Comment 3•19 years ago
|
||
Julien, thanks for resolving this bug. I'm very glad it's not a regression.
Reporter | ||
Comment 4•19 years ago
|
||
See bug 288788 for a real SSL bug related to this one.
You need to log in
before you can comment on or make changes to this bug.
Description
•