Nelson B wrote:
I surely wish that Mozilla's security error messages would all displayHere's the cert that the firewall uses:
a readable and meaningful error message instead of a number.
I didn't look at your packet trace, but I believe error -8102
SEC_ERROR_INADEQUATE_KEY_USAGE means that either the SSL server cert itself
or one of the issuing certificate authority (CA) certs in the "cert chain" for that server certificate has a "usage extension" that limits the purposes for which the cert can be used, and the allowed set of purposes (or "usages")
doesn't include the purpose necessary to be an SSL server, or a CA for an SSL
server (if it was a CA cert).
For an SSL server, the cert needs to be allowed "key encipherment" usage
(asuming the public key is an RSA public key). For a CA for an SSL server, the cert needs to be allowed "certificate signing" usage. The certificate
authority that issued the certificate controls those extensions, I believe, and if that party says that the cert isn't good for a certain purpose, Mozilla honors that. Honoring certificate extensions is what PKI security
software that handles certificates is expected to do, if I'm not mistaken. Perhaps not all browsers do that though. :)
Disclaimer: This is all my personal opinion.
Note: followups directed to netscape.public.mozilla.crypto
--
Nelson B
Subject: CN=donner VPN Certificate,O=donner..frehxz
Issuer: O=donner..frehxz
Not Valid Before: Sun Sep 29 10:05:19 2002 Local Time
Not Valid After: Sat Sep 29 10:05:19 2007 Local Time
Serial No.: 11304
CRL distribution points:
http://donner.testlab.the.ai.pri:18264/ICA_CRL1.crl
CN=ICA_CRL1,O=donner..frehxz
Key Usage:
digitalSignature
dataEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
5E:90:E4:CC:22:98:51:40:36:59:D5:BC:02:36:CC:A9
SHA-1 Fingerprints:
1. 52:11:D1:6C:51:B0:B4:75:1B:F1:7A:AD:73:9B:E4:20:2D:47:A3:EB
2. BAND GONG BOHR JUDO COL SAT HOT GIRD LAVA TALE MONT DUE
Now, you say usage should include "key encipherment". Is that the same as dataEncipherment?
Thanks for the help.
Simon
