Closed Bug 288713 Opened 19 years ago Closed 19 years ago

moz 1.4.1 cannot decode certs made by NSS 3.10 Beta 1

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: nelson, Assigned: neil.williams)

Details

I am running a selfserv server using a cert chain built by all.sh for 
NSS 3.10 Beta.  When I visit this server with mozilla 1.8b (built several
weeks ago), it works fine.  When I visit it with mozilla 1.4.1 or 
Netscape 7.1, those browsers show error -8183, which is SEC_ERROR_BAD_DER.

Julien's testing shows that no version of NSS older than 3.9 can decode
these certs.  

So, the questions are:
a) are we building invalid certs now? or are we building valid certs that
older browsers simply cannot parse (due to a bug fixed in 3.9, perhaps)?

b) what characteristic of the new certs renders them unparsable by older
NSS versions?  Julien suspects it is the use of Generalized Time.  

This is potentially a P1 release stopper for Sun, since some customers 
use NSS (via certutil) to generate self-issued certs for their intranet
servers.
OS: Windows XP → All
Hardware: PC → All
Julien is diagnosing this at the moment. 
Leaving unconfirmed until we know the exact cause.
Priority: -- → P1
Target Milestone: --- → 3.10
all.sh creates a CA cert 50 years in the future, in order to test the
GeneralizedTime encoding. Thus, any browser using NSS older than 3.9 will fail
to decode the CA cert generated by all.sh.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Priority: P1 → --
Resolution: --- → INVALID
Target Milestone: 3.10 → ---
Julien, thanks for resolving this bug.  I'm very glad it's not a regression.
See bug 288788 for a real SSL bug related to this one.
You need to log in before you can comment on or make changes to this bug.