Closed Bug 379710 Opened 18 years ago Closed 18 years ago

Firefox produces error -8101 when connecting to HTTPS site

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: raju_datar, Assigned: KaiE)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 We have an SSL server and the SSL certificates are fine with IE (the site is visible with IE). However, when we connect to the same site using FireFox, the -8101 error is displayed. This is a critical problem for us. Please help quickly. Exact error: Could not establish an encrypted connection because certificate presented by ...... is invalid or corrupted. Error code: -8101 Reproducible: Always Steps to Reproduce: 1.https://<web site> 2.Error message pop-up is displayed (error is -8101) 3.after clicking OK there is no page Actual Results: No page was displayed. Expected Results: web site page PLEASE help with this. If you need a certificate, here it is: -----BEGIN CERTIFICATE----- MIIDlTCCAv6gAwIBAgIQXvENCHwhg7gGsOfWPRqLpzANBgkqhkiG9w0BAQQFADCB tjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUFEUCwgSW5jLjE1MDMGA1UECxMsKGMp IDIwMDQgQURQLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxGjAYBgNV BAsTEUVtcGxveWVyIFNlcnZpY2VzMUAwPgYDVQQDEzdBdXRvbWF0aWMgRGF0YSBQ cm9jZXNzaW5nIEVTIFNTTCBTZXJ2ZXIgQ2VydGlmaWNhdGVzIENBMB4XDTA3MDUw NDAwMDAwMFoXDTA4MDUwMzIzNTk1OVowgbMxIjAgBgNVBAoUGUF1dG9tYXRpYyBE YXRhIFByb2Nlc3NpbmcxHjAcBgNVBAsUFUVtcGxveWVyIFNlcnZpY2VzIFNTTDEj MCEGA1UECxQaVGltZXN0YW1wIC0gMjAwNzA1MDQwODQ3NDAxJTAjBgNVBAMTHGFk bWluLW1hbmFnZXItZW5nLm5qLmFkcC5jb20xITAfBgkqhkiG9w0BCQEWEnJhanVf ZGF0YXJAYWRwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyyXJMZAx 6lLqmUy/j5CHM4totzbPgSWYO4BBiQ/O2abknWGwNyz8dFd4cfe+tPMKEcXEBXla vEIvJOV4fPV3dwcICeZFhC77jqGM/d8l7eNufYWbv2zmWVlowPSuLyvRMC75BN24 Acv9Qxl5/7YS/iuu+Zey2RguiwITIkN/nMECAwEAAaOBpDCBoTAJBgNVHRMEAjAA MAsGA1UdDwQEAwIFoDARBglghkgBhvhCAQEEBAMCB4AwYQYDVR0fBFowWDBWoFSg UoZQaHR0cDovL2NybC1zdGFnLmFkcC5jb20vQXV0b21hdGljRGF0YVByb2Nlc3Np bmdFbXBsb3llclNlcnZpY2VzU1NML0xhdGVzdENSTC5jcmwwEQYKYIZIAYb4RQEG CQQDAQH/MA0GCSqGSIb3DQEBBAUAA4GBAAE0qvaqjE7SVDHmOV8RztfyvxBtScew H4flHHedKIilviEl4qNMlC/y8no5GGWEk9mfYIn2t/gZahoUB/L/E67bTWPdjTVi 2HNyjA0uJ6okZQkqVBYZmLb8qi8ZSLag9v1Ljp7vtRNv8ftPPyjbqG1h1ILcA5Xm on9QHel/gj8i -----END CERTIFICATE-----
Version: unspecified → 2.0 Branch
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Version: 2.0 Branch → Trunk
Can you give us the URL to the site that's not working? Is there any reason this bug needs to be closed to the public?
openning should help to get some additional eyes on this potentical cert compatibility problem. opening.
Group: security
The chances are extremely high that this is a technical support question, not a bug. Bugzilla is not designed for technical support. Did you include the intermediate certs on the server? I don't remember what error that gives, but it's a common mistake and there's help docs on the major CA sites like Verisign about it. news://news.mozilla.org/mozilla.dev.tech.crypto The NSS utility SSLTAP is also handy in diagnosing problems. -8101 is SEC_ERROR_INADEQUATE_CERT_TYPE http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html Go to the newsgroup above and ask what SEC_ERROR_INADEQUATE_CERT_TYPE means.
(In reply to comment #3) > -8101 is SEC_ERROR_INADEQUATE_CERT_TYPE > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html > > Go to the newsgroup above and ask what SEC_ERROR_INADEQUATE_CERT_TYPE means. Shouldn't be necessary, here's the problem with this certificate: > X509v3 extensions: [...] > Netscape Cert Type: > SSL Client So yes, Firefox/NSS is absolutely correct in flagging this certificate with SEC_ERROR_INADEQUATE_CERT_TYPE when connecting to a server configured with this cert, because setting the netscape-cert-type extension to "SSL client" (only) effectively disallows its use for SSL server authentication (cf. also http://wp.netscape.com/eng/security/comm4-cert-exts.html). The solution is to either omit the netscape-cert-type extension completely, or to also include the SSL server usage (bit 1) in the extension. If the key usage should be restricted, then replacing netscape-cert-type by extended key usage (RFC 3280, section 4.2.1.13) is probably the best solution nowadays. This bug can safely be resolved as INVALID, IMO.
Thanks, Kaspar! Your analysis was perfect! Much appreciated.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.