Closed Bug 956643 Opened 10 years ago Closed 7 years ago

False alert sec_error_inadequate_key_usage message ?

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
26 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: 935c, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11

Steps to reproduce:

Given a non-self-signed server cert, I've no idea what Firefox is complaining about.  Other browsers such as Safari don't take issue with this cert !

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=England, L=London, O= <snip>, OU=CA Certs, CN=IT Issuing CA
        Validity
            Not Before: Jan  5 21:02:16 2014 GMT
            Not After : Jan  4 21:02:16 2019 GMT
        Subject: C=GB, ST=England, L=London, O= <snip>, OU=Web Services, CN=<snip>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                     <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: 
                Digital Signature, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, Netscape Server Gated Crypto
            X509v3 Subject Key Identifier: 
                00:FE:E8:E3:56:1F:8A:48:09:0E:01:52:0D:E9:B8:C3:9F:40:9E:C0
            X509v3 Authority Key Identifier: 
                keyid:F4:E8:6D:C9:3D:42:E0:5D:D7:D8:21:5D:F8:1D:F2:CC:02:4B:C8:9E

            X509v3 Subject Alternative Name: 
                IP Address: <snip>
    Signature Algorithm: sha1WithRSAEncryption
        <snip>
The CA chain looks like this :

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=England, L=London, O=<snip>, OU=CA Certs, CN=IT Root CA
        Validity
            Not Before: Jan  5 20:09:04 2014 GMT
            Not After : Dec 24 20:09:04 2023 GMT
        Subject: C=GB, ST=England, L=London, O=<snip>, OU=CA Certs, CN=IT Issuing CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            Netscape Cert Type: 
                SSL CA
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                F4:E8:6D:C9:3D:42:E0:5D:D7:D8:21:5D:F8:1D:F2:CC:02:4B:C8:9E
            X509v3 Authority Key Identifier: 
                keyid:69:FC:6A:C6:FE:AF:A1:AC:6E:8B:43:D1:14:40:54:CA:70:ED:42:5D
                DirName:/C=GB/ST=England/L=London/O=<snip>/OU=CA Certs/CN=IT Root CA
                serial:97:F2:73:B8:D1:0F:E2:3E

    Signature Algorithm: sha1WithRSAEncryption
        <snip>

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            97:f2:73:b8:d1:0f:e2:3e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=England, L=London, O=<snip>, OU=CA Certs, CN=IT Root CA
        Validity
            Not Before: Jan  5 19:57:47 2014 GMT
            Not After : Dec 24 19:57:47 2023 GMT
        Subject: C=GB, ST=England, L=London, O=<snip>, OU=CA Certs, CN=IT Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            Netscape Cert Type: 
                SSL CA
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                69:FC:6A:C6:FE:AF:A1:AC:6E:8B:43:D1:14:40:54:CA:70:ED:42:5D
            X509v3 Authority Key Identifier: 
                keyid:69:FC:6A:C6:FE:AF:A1:AC:6E:8B:43:D1:14:40:54:CA:70:ED:42:5D
                DirName:/C=GB/ST=England/L=London/O=<snip>/OU=CA Certs/CN=IT Root CA
                serial:97:F2:73:B8:D1:0F:E2:3E

    Signature Algorithm: sha1WithRSAEncryption
        <snip>
Component: Untriaged → Security
Hi Ben, could you please provide additional information on this? The following would be useful:
[1] the URL of the website for which Firefox thrown this error,
[2] the entire error message thrown by the browser for the website in question.
Flags: needinfo?(935c)
Component: Security → Security: PSM
Product: Firefox → Core
Hi Ben,

Just wanted to give a friendly ping with regards to the ni? request in comment 2, and whether this is still an issue.

Thanks!
Hi Cykesiopka,

Just ack'ing your pint.

Sorry, must have completely missed comment 2 !

I will try and reproduce next week.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(935c)
You need to log in before you can comment on or make changes to this bug.