Re: cryptic error messages (was: Re: mozilla can't connect to some https-sites)
On 01-10-30 05:13:46 CET, Nelson B. Bolyard wrote: For future reference ... error numbers in the range [-12k .. -11K] are SSL errors. Their values and symbolic names are defined in http://lxr.mozilla.org/mozilla/source/security/nss/lib/ssl/sslerr.h and the suggested ASCII English strings for those errors are in http://lxr.mozilla.org/mozilla/source/security/nss/cmd/lib/SSLerrs.h#37 the cvs log indicates that this file has been there unchanged since 00-03-31, i.e. for the last 19 months. why aren't those strings shown to the user? is it a misconfiguration on my side or is it just not yet implemented? rj -- Real programmers confuse Christmas and Halloween, because Dec 25 == Oct 31.
Re: cryptic error messages (was: Re: mozilla can't connect to some https-sites)
Robert Joop wrote: On 01-10-30 05:13:46 CET, Nelson B. Bolyard wrote: For future reference ... error numbers in the range [-12k .. -11K] are SSL errors. Their values and symbolic names are defined in http://lxr.mozilla.org/mozilla/source/security/nss/lib/ssl/sslerr.h and the suggested ASCII English strings for those errors are in http://lxr.mozilla.org/mozilla/source/security/nss/cmd/lib/SSLerrs.h#37 the cvs log indicates that this file has been there unchanged since 00-03-31, i.e. for the last 19 months. why aren't those strings shown to the user? is it a misconfiguration on my side or is it just not yet implemented? I'd say the PSM just hasn't implemented it yet. The error numbers are part of NSS. The NSS libraries do not provide a function to return those strings to the application. Each application that uses NSS is expected to provide those strings itself. If an application that uses NSS fails to provide the strings, there's nothing NSS can do about it. NSS provides suggested strings for each error code, (the file named above) but it is up to the application to actually provide and use the strings. The reason for this is simple: No two applications in the known universe use the same methods for internationalization and localization. Any method that NSS supplied for returning internationalized and localized strings (read: strings in different languages) would be right for, at most, one application and wrong for all others. So, NSS puts the burden of providing localized strings where it belongs, on the application. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
Re: mozilla can't connect to some https-sites
On 01-10-24 05:46:48 CEST, Nelson B. Bolyard wrote: Robert Joop wrote: i've discovered that mozilla up to 0.9.5 (build 2001101202) can't connect to some https-sites netscape navigator 4.77 can connect to, for example https://me.in-berlin.de/. with mozilla 0.9.5 i get an unknown SSL error (-8101), Well, first of all, you should be getting a better error message than that. Error code -8101 is not a new error code. PSM should recognize it. SEC_ERROR_INADEQUATE_CERT_TYPE means that the server certificate (or one of the CA certificates in the server cert's chain) has some extension that says it is not able to be used for SSL server certificates. what does mozilla want (that netscape doesn't)? netscape certificate extensions, perhaps? :-) (i doubt it, it doesn't even list the extension name, just its OID.) the root CA certificate (http://ca.in-berlin.de/cgi-bin/rootca) has: certificate key usage: critical, certificate signer. the server CA certificate (http://ca.in-berlin.de/cgi-bin/serverca) has: certificate key usage: not critical, certificate signer. the certificates were generated using openssl. Perhaps this error could also be caused by lack of a trust flag for the root CA cert. the root CA is trusted for web servers and email users, the server CA (signed by this root CA) is trusted for web servers. mozilla tells me Could not verify this certificate for unknown reasons. for both. unknown reasons... navigator 4.77 works fine. has anybody got an idea why? I'll guess that your two browsers use different copies of the cert7.db and key3.db files. yes, but the CA certificates are in both browsers. (can't remember how they got there, mozilla either converted netscape's dbs or i downloaded them in the same way. other users in different environments discovered the same when they tried to use mozilla on these https-sites.) rj
Re: mozilla can't connect to some https-sites
Robert Joop wrote: i've discovered that mozilla up to 0.9.5 (build 2001101202) can't connect to some https-sites netscape navigator 4.77 can connect to, for example https://me.in-berlin.de/. with mozilla 0.9.5 i get an unknown SSL error (-8101), Well, first of all, you should be getting a better error message than that. Error code -8101 is not a new error code. PSM should recognize it. SEC_ERROR_INADEQUATE_CERT_TYPE means that the server certificate (or one of the CA certificates in the server cert's chain) has some extension that says it is not able to be used for SSL server certificates. Perhaps this error could also be caused by lack of a trust flag for the root CA cert. navigator 4.77 works fine. has anybody got an idea why? I'll guess that your two browsers use different copies of the cert7.db and key3.db files. rj -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
