Closed Bug 982879 Opened 6 years ago Closed 6 years ago

(mozilla::pkix) https://www.sabam.be does not load in Fx30 with mozilla::pkix enabled

Categories

(Core :: Security: PSM, defect, minor)

30 Branch
defect
Not set
minor

Tracking

()

RESOLVED DUPLICATE of bug 969188

People

(Reporter: mwobensmith, Unassigned)

References

()

Details

Requires turning on insanity::pkix via pref security.use_insanity_verification = true

In Fx28 and Fx30 default - as well as Chrome 33 - site loads with an "Access Denied" page.

In Fx30 with insanity::pkix enabled, we receive the error SEC_ERROR_BAD_DER instead and site does not load.
The Access Denied message is simply what this web site returns. It seems to have no content. That message has nothing to do with verification or anything we do in the browser.
What I'm seeing here is the site's cert chains to GTE CyberTrust Global Root, which is apparently an x509v1 cert. In insanity::pkix::CheckBasicConstraints, we do this:

178         if (endEntityOrCA == MustBeCA && isTrustAnchor) {
179           const CERTCertificate* nssCert = cert.GetNSSCert();
180
181           der::Input versionDer;
182           if (versionDer.Init(nssCert->version.data, nssCert->version.len)
183                 != der::Success) {
184             return RecoverableError;
185           }

versionDer.Init fails because nssCert->version.data is null (because of it being a v1 cert) and sets the error to SEC_ERROR_BAD_DER. I believe the patch in bug 969188 will fix this.
Summary: (insanity::pkix) https://www.sabam.be does not load in Fx30 with insanity::pkix enabled → (mozilla::pkix) https://www.sabam.be does not load in Fx30 with mozilla::pkix enabled
(In reply to David Keeler (:keeler) from comment #2)
> I believe the
> patch in bug 969188 will fix this.

Yep.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 969188
You need to log in before you can comment on or make changes to this bug.