956643 - False alert sec_error_inadequate_key_usage message ?

Status: RESOLVED INCOMPLETE

(Core :: Security: PSM, defect)

Description

[Ben]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11

Steps to reproduce:

Given a non-self-signed server cert, I've no idea what Firefox is complaining about.  Other browsers such as Safari don't take issue with this cert !

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=England, L=London, O= <snip>, OU=CA Certs, CN=IT Issuing CA
        Validity
            Not Before: Jan  5 21:02:16 2014 GMT
            Not After : Jan  4 21:02:16 2019 GMT
        Subject: C=GB, ST=England, L=London, O= <snip>, OU=Web Services, CN=<snip>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                     <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: 
                Digital Signature, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, Netscape Server Gated Crypto
            X509v3 Subject Key Identifier: 
                00:FE:E8:E3:56:1F:8A:48:09:0E:01:52:0D:E9:B8:C3:9F:40:9E:C0
            X509v3 Authority Key Identifier: 
                keyid:F4:E8:6D:C9:3D:42:E0:5D:D7:D8:21:5D:F8:1D:F2:CC:02:4B:C8:9E

            X509v3 Subject Alternative Name: 
                IP Address: <snip>
    Signature Algorithm: sha1WithRSAEncryption
        <snip>

Comment 1

[Ben]

The CA chain looks like this :

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=England, L=London, O=<snip>, OU=CA Certs, CN=IT Root CA
        Validity
            Not Before: Jan  5 20:09:04 2014 GMT
            Not After : Dec 24 20:09:04 2023 GMT
        Subject: C=GB, ST=England, L=London, O=<snip>, OU=CA Certs, CN=IT Issuing CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            Netscape Cert Type: 
                SSL CA
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                F4:E8:6D:C9:3D:42:E0:5D:D7:D8:21:5D:F8:1D:F2:CC:02:4B:C8:9E
            X509v3 Authority Key Identifier: 
                keyid:69:FC:6A:C6:FE:AF:A1:AC:6E:8B:43:D1:14:40:54:CA:70:ED:42:5D
                DirName:/C=GB/ST=England/L=London/O=<snip>/OU=CA Certs/CN=IT Root CA
                serial:97:F2:73:B8:D1:0F:E2:3E

    Signature Algorithm: sha1WithRSAEncryption
        <snip>

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            97:f2:73:b8:d1:0f:e2:3e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=England, L=London, O=<snip>, OU=CA Certs, CN=IT Root CA
        Validity
            Not Before: Jan  5 19:57:47 2014 GMT
            Not After : Dec 24 19:57:47 2023 GMT
        Subject: C=GB, ST=England, L=London, O=<snip>, OU=CA Certs, CN=IT Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            Netscape Cert Type: 
                SSL CA
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                69:FC:6A:C6:FE:AF:A1:AC:6E:8B:43:D1:14:40:54:CA:70:ED:42:5D
            X509v3 Authority Key Identifier: 
                keyid:69:FC:6A:C6:FE:AF:A1:AC:6E:8B:43:D1:14:40:54:CA:70:ED:42:5D
                DirName:/C=GB/ST=England/L=London/O=<snip>/OU=CA Certs/CN=IT Root CA
                serial:97:F2:73:B8:D1:0F:E2:3E

    Signature Algorithm: sha1WithRSAEncryption
        <snip>

Comment 2

[Andrei Vaida [:avaida]]

Hi Ben, could you please provide additional information on this? The following would be useful:
[1] the URL of the website for which Firefox thrown this error,
[2] the entire error message thrown by the browser for the website in question.

Comment 3

[:Cykesiopka]

Hi Ben,

Just wanted to give a friendly ping with regards to the ni? request in comment 2, and whether this is still an issue.

Thanks!

Comment 4

[Ben]

Hi Cykesiopka,

Just ack'ing your pint.

Sorry, must have completely missed comment 2 !

I will try and reproduce next week.