Open
Bug 520830
Opened 15 years ago
Updated 1 year ago
Firefox is trying to add security exception instead failing to establish connection
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
NEW
3.13
People
(Reporter: unghost, Unassigned)
References
()
Details
STR: Open https://cert.taxcom.ru/ui/ (AFAIK this site uses GOST Cipher Suites for TLS ( http://en.wikipedia.org/wiki/GOST_%28block_cipher%29 ), not supported by Mozilla's NSS). Expected result: Firefox should show helpful message with text like "Firefox doesn't support this kind of SSL encryption, sorry". Actual result: User is trying to add security exception, but failing. Pressing button "Confirm Security Exception" doesn't do anything and user stuck. P.S. SeaMonkey 1.1.18 shows error "Could not establish an encrypted connection because certificate presented by cert.taxcom.ru is invalid or corrupted. Error code : -8102" on this page.
|
||
Comment 1•15 years ago
|
||
note: GOST support is requested in bug 518787
|
||
Comment 2•14 years ago
|
||
In the above test case, NSS produces error code sec_error_inadequate_key_usage. In bug 427081 it was decided that error code sec_error_inadequate_key_usage should be possible to override. Now we get this error code in a scenario where we have an unsupported algor. Bob, Nelson, do you think this scenario should produce a different error code?
|
||
Comment 3•14 years ago
|
||
Yes, the problem with this cert is that the public key type is unknown. Function CERT_CheckKeyUsage extracts the key from the cert and uses the type of the extracted key (e.g. RSA, DSA, EC, etc.) to decide if the key is consistent with the specified required key usage. If the key type is unknown, it sets error SEC_ERROR_INADEQUATE_KEY_USAGE. It would probably be much better if it returns an error code saying "unknown key type". The closest error we have is "SEC_ERROR_BAD_KEY". Likewise, when that function returns SECFailure, it callers also sets SEC_ERROR_INADEQUATE_KEY_USAGE. see CERT_VerifyCert, cert_VerifyCertChainOld, CERT_VerifyCertificate, lines 881, 1121, 1268 and 1477. These should all be fixed, IMO.
|
|
||
Comment 4•14 years ago
|
||
Nelson, thanks for confirming and researching the places. It sounds like the patch is easy to do. Who wants to write the patch and test it?
|
|
||
Updated•14 years ago
|
Assignee: nobody → nelson
Component: Security → Libraries
Priority: -- → P2
Product: Firefox → NSS
QA Contact: firefox → libraries
Target Milestone: --- → 3.12.7
Version: 3.6 Branch → 3.4
|
||
Updated•14 years ago
|
Target Milestone: 3.12.7 → 3.13
|
||
Comment 5•14 years ago
|
||
That will be WFM when bug 608725 is landed I assume.
|
||
Comment 6•2 years ago
|
||
The bug assignee is inactive on Bugzilla, and this bug has priority 'P2'.
:beurdouche, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: nelson → nobody
Flags: needinfo?(bbeurdouche)
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 7•1 year ago
|
||
We have modified the bot to only consider P1 as high priority, so I'm cancelling the needinfo here.
Flags: needinfo?(bbeurdouche)
You need to log in
before you can comment on or make changes to this bug.
Description
•