Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
On Sun, Feb 11, 2007 at 12:36:53PM +0530, Siddhesh Poyarekar [EMAIL PROTECTED] wrote: On 2/11/07, Mike Hommey [EMAIL PROTECTED] wrote: SEC_ERROR_INADEQUATE_KEY_USAGE -8102 Certificate key usage inadequate for attempted operation. (from http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html ) Pretty strange. Would you mind filing a bug at bugzilla.mozilla.org and linking it to this one? There are already plenty of them, and it is useless to add one. See http://gemal.dk/blog/2003/03/03/internet_explorer_just_doesnt_care_about_security/ Doesn't the X509v3 Extended Key Usage section come into play at all? It specifies TLS Server Authentication as one of the usages. There is another certificate in use in one of our internal sites that has an identical certificate layout except that the X509v3 Extended Key Usage field comes before the X509v3 Key Usage field unlike in this certificate. That certificate works just fine in iceweasel. But does the CA certificate specify a Certificate Sign key usage ? Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
On Sun, Feb 11, 2007 at 03:12:11PM +0530, Siddhesh Poyarekar [EMAIL PROTECTED] wrote: On 2/11/07, Mike Hommey [EMAIL PROTECTED] wrote: But does the CA certificate specify a Certificate Sign key usage ? Here's what I get when I run the certificate through Kleopatra: (...) What happens if you add the CA certificate in iceweasel's certificate manager ? Did you try to add the CA certificate on the server ? (SSLCertificateChainFile directive on apache) Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
On 2/11/07, Mike Hommey [EMAIL PROTECTED] wrote: But does the CA certificate specify a Certificate Sign key usage ? Here's what I get when I run the certificate through Kleopatra: /home/siddhesh/.gnupg/pubring.kbx - Serial number: 00 Issuer: 1.2.840.113549.1.9.1=#63696F406D756D6261692E7463732E636F2E696E,CN=TCS CIO,OU=TCS,O=TCS,L=Mumbai,ST=Maharashtra,C=IN Subject: 1.2.840.113549.1.9.1=#63696F406D756D6261692E7463732E636F2E696E,CN=TCS CIO,OU=TCS,O=TCS,L=Mumbai,ST=Maharashtra,C=IN sha1_fpr: 99:E1:DB:93:E9:EF:1F:3F:72:5E:88:33:0E:F7:7E:00:71:93:43:1A md5_fpr: F2:56:25:3D:47:7E:D5:8F:52:2B:14:56:2F:0E:86:19 certid: BCAC50A72D6B623402ED1EDDC2633C0203DD4B69.00 keygrip: D3E864FFF6ADF47B4E7C56CF5622E538D7278A60 notBefore: 2002-03-26 06:23:58 notAfter: 2012-03-23 06:23:58 hashAlgo: 1.2.840.113549.1.1.4 (md5WithRSAEncryption) keyType: 2048 bit RSA subjKeyId: 708BF42057D2810A654BD22A2D46BE3CCAD7784C authKeyId: 00 1.2.840.113549.1.9.1=#63696F406D756D6261692E7463732E636F2E696E,CN=TCS CIO,OU=TCS,O=TCS,L=Mumbai,ST=Maharashtra,C=IN authKeyId.ki: 708BF42057D2810A654BD22A2D46BE3CCAD7784C keyUsage: digitalSignature certSign crlSign extKeyUsage: [none] policies: [none] chainLength: 0 crlDP: [none] authInfo: [none] subjInfo: [none] ** The 'certSign' is probably what you're looking for. Regards, -- Siddhesh Poyarekar http://siddhesh.tk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
On 2/11/07, Mike Hommey [EMAIL PROTECTED] wrote: What happens if you add the CA certificate in iceweasel's certificate manager ? It doesn't make any difference. Did you try to add the CA certificate on the server ? (SSLCertificateChainFile directive on apache) I do not have access to the web server. Also, I imported the website certificate into certificate manager and in the Purposes column it only shows the KeyUsage purposes, viz: Client and Sign. It does not show the ExtendedKeyUsage purposes, which includes Server authentication (serverAuth according to Kleopatra). -- Siddhesh Poyarekar http://siddhesh.tk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
On Sun, Feb 11, 2007 at 03:38:05PM +0530, Siddhesh Poyarekar [EMAIL PROTECTED] wrote: On 2/11/07, Mike Hommey [EMAIL PROTECTED] wrote: What happens if you add the CA certificate in iceweasel's certificate manager ? It doesn't make any difference. Did you try to add the CA certificate on the server ? (SSLCertificateChainFile directive on apache) I do not have access to the web server. Also, I imported the website certificate into certificate manager and in the Purposes column it only shows the KeyUsage purposes, viz: Client and Sign. It does not show the ExtendedKeyUsage purposes, which includes Server authentication (serverAuth according to Kleopatra). What about the other one ? Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
On 2/11/07, Mike Hommey [EMAIL PROTECTED] wrote: What about the other one ? The other site has the following info in that order: == X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Key Encipherment == Another difference I noticed right now is the 'Key Encipherment' in key usage here which is not in the earlier certificate. I looked up in the mozilla bugs database and found this: https://bugzilla.mozilla.org/show_bug.cgi?id=341271 -- Siddhesh Poyarekar http://siddhesh.tk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
tags 400947 confirmed thanks Version: 2.0.0.1+dfsg-1 * Siddhesh Poyarekar ([EMAIL PROTECTED]) wrote: Package: iceweasel Version: 2.0+dfsg-1 Severity: normal Iceweasel fails to load https://www.ultimatix.net saying: Could not establish encrypted connection because certificate presented by www.ultimatix.net is either invalid or corrupted. Error Code: -8102. The above site opens fine in Konqueror as well as in Internet Explorer. Here's a snippet of the certificate to confirm that the certificate supports web server authentication: X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Extended Key Usage: E-mail Protection, TLS Web Server Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto Netscape Cert Type: SSL Client, SSL Server The only difference between this certificate and another valid certificate is that the Extended Key Usage section comes before the Key Usage section in the valid certificate. Does konqueror validate this certificate erroneously or should firefox be accepting this certificate as well? Pretty strange. Would you mind filing a bug at bugzilla.mozilla.org and linking it to this one? -- Eric Dorland [EMAIL PROTECTED] ICQ: #61138586, Jabber: [EMAIL PROTECTED] 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 signature.asc Description: Digital signature
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
On Sat, Feb 10, 2007 at 02:27:59PM -0500, Eric Dorland [EMAIL PROTECTED] wrote: tags 400947 confirmed thanks Version: 2.0.0.1+dfsg-1 * Siddhesh Poyarekar ([EMAIL PROTECTED]) wrote: Package: iceweasel Version: 2.0+dfsg-1 Severity: normal Iceweasel fails to load https://www.ultimatix.net saying: Could not establish encrypted connection because certificate presented by www.ultimatix.net is either invalid or corrupted. Error Code: -8102. SEC_ERROR_INADEQUATE_KEY_USAGE -8102 Certificate key usage inadequate for attempted operation. (from http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html ) Pretty strange. Would you mind filing a bug at bugzilla.mozilla.org and linking it to this one? There are already plenty of them, and it is useless to add one. See http://gemal.dk/blog/2003/03/03/internet_explorer_just_doesnt_care_about_security/ You may file a bug so that they include a useful description of the error code, though. Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
On 2/11/07, Mike Hommey [EMAIL PROTECTED] wrote: SEC_ERROR_INADEQUATE_KEY_USAGE -8102 Certificate key usage inadequate for attempted operation. (from http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html ) Pretty strange. Would you mind filing a bug at bugzilla.mozilla.org and linking it to this one? There are already plenty of them, and it is useless to add one. See http://gemal.dk/blog/2003/03/03/internet_explorer_just_doesnt_care_about_security/ Doesn't the X509v3 Extended Key Usage section come into play at all? It specifies TLS Server Authentication as one of the usages. There is another certificate in use in one of our internal sites that has an identical certificate layout except that the X509v3 Extended Key Usage field comes before the X509v3 Key Usage field unlike in this certificate. That certificate works just fine in iceweasel. Is it possible that Firefox/iceweasel/mozilla takes only the first of the two fields? I'm relatively clueless about SSL/certificates so this is at best an uninformed deduction. Also, this is not just about IE. Even konqueror is able to validate the certificate. Regards, -- Siddhesh Poyarekar http://siddhesh.tk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400947: iceweasel: Rejects certificate issued by https://www.ultimatix.net by throwing error code -8102
Package: iceweasel Version: 2.0+dfsg-1 Severity: normal Iceweasel fails to load https://www.ultimatix.net saying: Could not establish encrypted connection because certificate presented by www.ultimatix.net is either invalid or corrupted. Error Code: -8102. The above site opens fine in Konqueror as well as in Internet Explorer. Here's a snippet of the certificate to confirm that the certificate supports web server authentication: X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Extended Key Usage: E-mail Protection, TLS Web Server Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto Netscape Cert Type: SSL Client, SSL Server The only difference between this certificate and another valid certificate is that the Extended Key Usage section comes before the Key Usage section in the valid certificate. Does konqueror validate this certificate erroneously or should firefox be accepting this certificate as well? Regards, Siddhesh -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.18-2-486 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages iceweasel depends on: ii debianutils 2.17.3 Miscellaneous utilities specific t ii fontconfig2.4.1-2generic font configuration library ii libatk1.0-0 1.12.3-1 The ATK accessibility toolkit ii libc6 2.3.6.ds1-8GNU C Library: Shared libraries ii libcairo2 1.2.4-4The Cairo 2D vector graphics libra ii libfontconfig12.4.1-2generic font configuration library ii libfreetype6 2.2.1-5FreeType 2 font engine, shared lib ii libgcc1 1:4.1.1-20 GCC support library ii libglib2.0-0 2.12.4-2 The GLib library of C routines ii libgtk2.0-0 2.8.20-3 The GTK+ graphical user interface ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libmyspell3c2 1:3.1-17 MySpell spellchecking library ii libpango1.0-0 1.14.8-2 Layout and rendering of internatio ii libpng12-01.2.13-4 PNG library - runtime ii libstdc++64.1.1-20 The GNU Standard C++ Library v3 ii libx11-6 2:1.0.3-4 X11 client-side library ii libxft2 2.1.8.2-8 FreeType-based font drawing librar ii libxinerama1 1:1.0.1-4.1X11 Xinerama extension library ii libxp61:1.0.0.xsf1-1 X Printing Extension (Xprint) clie ii libxrender1 1:0.9.1-3 X Rendering Extension client libra ii libxt61:1.0.2-2 X11 toolkit intrinsics library ii psmisc22.3-1 Utilities that use the proc filesy ii zlib1g1:1.2.3-13 compression library - runtime iceweasel recommends no packages. -- no debconf information -- Siddhesh Poyarekar http://siddhesh.tk http://siddhesh.phpnet.us -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]