Connection failed for site with self-signed certificate

RESOLVED INVALID

Status

NSS
Libraries
RESOLVED INVALID
5 years ago
2 years ago

People

(Reporter: Gennadij Latyshev, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130725122636

Steps to reproduce:

1. Install server certificate from http://exch.chem.msu.ru/cert/exch.crt
2. go to https://exch.chem.msu.ru/owa/


Actual results:

Secure Connection Failed
An error occurred during a connection to exch.chem.msu.ru.
security library: improperly formatted DER-encoded message.
(Error code: sec_error_bad_der)
  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.


Expected results:

Outlook web access login page

Note: this is the regression from firefox 22

Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0

Comment 1

5 years ago
I have reason to believe that your certificate is wrong.
It contains the sequence (in DER encoding):
30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 02 01 00

This is the encoding of an extension as per http://tools.ietf.org/html/rfc5280#section-4.1

Sequence prefix: 30 0f
extnID: 06 03 55 1d 13  (is id-ce-basicConstraints)
critical: 01 01 ff (boolean true)
extnValue: 04 05 30 03 02 01 00 (octet string with contents 30 03 02 01 00)

About the critical: "A
   certificate-using system MUST reject the certificate if it encounters
   a critical extension it does not recognize or a critical extension
   that contains information that it cannot process."

The extnValue is a sequence, so for your cert:
seq prefix: 30 03
first element: 02 01 00 (i.e. integer with value 256)

http://tools.ietf.org/html/rfc5280#section-4.2.1.9 states that the first element must be a boolean. This is missing in your cert.
I think that firefox does the right thing, rejecting this certificate. All other browser which accept it are malfunctioning :-)

Updated

5 years ago
Assignee: nobody → nobody
Component: Untriaged → Libraries
Product: Firefox → NSS
Version: 23 Branch → trunk

Comment 2

2 years ago
invalid per comment 1.
But please comment if you disagree
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.