Closed Bug 345203 Opened 18 years ago Closed 16 years ago

ssl certificate check fails when certificate was created with no purpouse

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: wheckfuiw, Assigned: dveditz)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060608 Ubuntu/dapper-security Firefox/1.5.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060608 Ubuntu/dapper-security Firefox/1.5.0.4

When trying to access a https site and being asked for a certificate, it turns out that if it was created with no special purpouse (e.g. server, client, etc) firefox ASSUMES that it is a SERVER certificate. This is a problem when the site your trying to access acepts ONLY **CLIENT** CERTIFICATES (e.g. gLite's VOMS server site).

I checked the purpouse tag on the certificate section (Preferences -> Advanced -> View Certificates (select the certificate, double click) -> Details tag -> Extensions -> Netscape certificate type) and it recognized it as a SERVER certificate (even if I created it with NO purpouse)

I've tried accessing the site using Firefox and Mozilla (under Debian, Fedora and Ubuntu dapper adn Windows XP SP2, all fully updated).

When trying to access the site using Windows Internet Explorer with the same certificate the problem is gone (it says the certificate is FOR ALL PURPOUSES).

It would be good to mention that I used a debuggin connection tool to see wheter the authentication was happening or not, and even if it said I was correctly authenticated I couldn't access the site because of what I explained above.

Thanks!


Reproducible: Always

Steps to Reproduce:
1. Create a p12 certificate with no purpouse
2. Import it into Firefox certificates (Preferences -> Advanced -> View Certificates -> Import)
3. Access certificate properties and check its purpouse (Preferences -> Advanced -> View Certificates (select the certificate, double click) -> Details tag -> Extensions -> Netscape certificate type)
4. After step 3 you should get an ALL PURPOUSE certificate type; instead yo get   a SERVER CERTIFICATE type
5. Try accessing a https site which accepts ONLY client certificates
Actual Results:  
When checking certificate type, a got a SERVER CERTIFICATE type message. After trying to acces the site, I got a "Could not establish an encrypted connection because your certificate was rejected by HOST-NAME. Error code -12271"

Expected Results:  
Access the site!
Reporter, do you still see this problem with the latest Firefox 2? If not, can you please close this bug as WORKSFORME. Thanks!
Whiteboard: CLOSEME 06/27
Version: unspecified → 1.5.0.x Branch
ab, reporter, seems to be gone, but bug might valid => security
Assignee: nobody → dveditz
Product: Firefox → Core
QA Contact: firefox → toolkit
Version: 1.5.0.x Branch → 1.8 Branch
@Reporter, we have not heard back from you in a while, so I am closing this bug as INCOMPLETE. You can reopen this bug if more information becomes available. Some helpful information you can provide us is found at http://new.quality.mozilla.org/bug-writing-guidelines.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INCOMPLETE
Whiteboard: CLOSEME 06/27
You need to log in before you can comment on or make changes to this bug.