Simon Coffey wrote: > I am looking into a problem that occurs with SSL certificates, when > using Mozilla based browsers (actually, anything other than IE I think) > and an SSL reverse proxy that is part of a firewall I support. > > Mozilla rejects the certificate offered as "invalid or corrupt". > > Full error: Could not establish an encrypted connection because > certificate presented by <server> is invalid or corrupted. Error code: > -8102. > > The firewall supplier doesnt seem to be that bothered about fixing this. > I thought I'd see if I couldnt identify exactly what is the problem > and point this out to the supplier, perhaps then they might fix it. > > So, I don't know that much about SSL certs. I was wondering whether > anyone could take a look at the packet trace attached and suggest why > Mozilla rejects the cert?
I surely wish that Mozilla's security error messages would all display a readable and meaningful error message instead of a number. I didn't look at your packet trace, but I believe error -8102 SEC_ERROR_INADEQUATE_KEY_USAGE means that either the SSL server cert itself or one of the issuing certificate authority (CA) certs in the "cert chain" for that server certificate has a "usage extension" that limits the purposes for which the cert can be used, and the allowed set of purposes (or "usages") doesn't include the purpose necessary to be an SSL server, or a CA for an SSL server (if it was a CA cert). For an SSL server, the cert needs to be allowed "key encipherment" usage (asuming the public key is an RSA public key). For a CA for an SSL server, the cert needs to be allowed "certificate signing" usage. The certificate authority that issued the certificate controls those extensions, I believe, and if that party says that the cert isn't good for a certain purpose, Mozilla honors that. Honoring certificate extensions is what PKI security software that handles certificates is expected to do, if I'm not mistaken. Perhaps not all browsers do that though. :) Disclaimer: This is all my personal opinion. Note: followups directed to netscape.public.mozilla.crypto -- Nelson B
