Ubuntu
firefox-3.0 package

SSL certificate validation broken

Bug #429274 reported by Thorsten Glaser
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox-3.0 (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Kubuntu Hardy, firefox 3.0.14 (today’s update)

You need to have CAcert.org’s Root CA Certificate imported for this.

https://msoent.blog.tarent.de/

Konqueror → works
Firefox → ssl_error_bad_cert_domain

The certificate itself has:
CN: *.blog.tarent.de
X.509v3 subjectAltName: DNS:blog.tarent.de

Apparently, nss only “sees” the subjectAltName? This works with Konqueror (as stated),
Lynx. Interestingly, Opera 10 seems to have similar issues.

Certificate dump:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 486942 (0x76e1e)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing <email address hidden>
        Validity
            Not Before: Sep 14 10:10:58 2009 GMT
            Not After : Sep 14 10:10:58 2011 GMT
        Subject: C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Tarent GmbH, CN=*.blog.tarent.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2560 bit)
                Modulus (2560 bit):
                    00:ac:6e:1b:36:6d:52:2d:87:e9:34:5d:dc:85:b1:
                    e0:a1:b2:f0:b3:21:2a:a5:40:7a:b6:3d:fa:be:fb:
                    80:ea:14:94:f5:04:39:7e:e8:d7:4b:5a:24:1f:62:
                    d8:b6:6a:14:95:7b:53:18:50:00:fd:25:68:ca:35:
                    b8:db:7b:26:48:47:d0:d7:11:5c:f6:59:66:1d:f6:
                    2c:80:5c:13:53:37:57:1c:58:d5:9b:b1:28:dc:b1:
                    98:77:bc:0d:ba:0d:80:3b:e1:89:80:63:c8:dd:fc:
                    4e:6d:bb:dc:f3:c7:de:df:33:88:c4:64:df:9f:99:
                    38:b7:a7:43:d5:3b:e9:bc:3d:8f:27:0a:99:1c:d6:
                    44:d5:b7:5b:67:59:47:9d:70:75:0f:8f:9e:e4:4a:
                    93:cb:f4:56:ad:81:e6:9a:f9:8c:ea:ae:bb:75:7b:
                    78:db:a1:98:5b:4e:12:25:b4:af:10:38:ca:fe:2a:
                    7d:b4:60:95:76:47:62:0b:db:9a:c4:94:4e:00:20:
                    16:88:ed:c3:6f:72:06:79:95:81:9d:b3:da:5f:6a:
                    7b:a8:99:52:ca:04:a2:bc:0e:04:05:85:8f:fc:73:
                    ba:25:4f:a0:bb:11:e9:b1:97:21:4d:55:f1:83:30:
                    22:c6:47:fa:e0:8a:72:8d:de:b7:b2:d2:14:25:73:
                    d4:55:3e:e4:5f:48:62:70:72:10:bf:d1:e7:a8:67:
                    0a:2b:d6:65:21:7c:f6:66:dd:47:60:34:46:3d:0b:
                    26:1d:56:41:26:6c:35:c5:9b:cb:fe:46:7a:b5:2a:
                    ee:e2:67:9b:38:08:4a:71:aa:ef:35:2b:c4:b3:61:
                    ec:9e:7f:be:58:69
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 Subject Alternative Name:
                DNS:blog.tarent.de
    Signature Algorithm: sha1WithRSAEncryption
        0b:60:73:ef:d0:75:16:bc:06:7b:0f:07:c9:56:a1:d6:b0:c9:
        da:3d:15:b5:85:92:88:4a:3b:d7:aa:e0:02:8d:91:76:83:b6:
        ee:c3:54:75:b3:f1:fa:ea:4f:e0:96:2b:64:d8:f2:fd:88:6d:
        19:5b:3b:10:a7:c5:4a:3c:30:47:fb:6b:0c:04:54:8e:1f:cb:
        a5:58:eb:a9:3c:ae:64:ec:24:37:e2:47:41:d2:6c:c8:9f:8d:
        c0:a9:32:6e:5e:cf:6c:6e:fb:07:da:aa:22:72:4c:c7:c0:5d:
        ea:a9:0a:9d:a6:63:f5:88:da:9c:ab:d1:d5:90:ed:19:ed:d9:
        1e:36:70:6c:14:24:14:28:ee:19:2d:1a:83:17:69:9f:9e:4b:
        4c:a0:b6:96:6e:43:7a:a6:da:38:47:65:74:45:ce:5d:db:36:
        bc:9d:8c:a0:57:68:52:f9:28:af:be:19:50:a8:20:a3:5f:b5:
        cc:61:93:ad:b2:cc:b3:60:ea:c0:68:86:d9:95:1a:d6:77:c9:
        18:c9:26:ef:48:1a:30:4c:50:98:8c:16:cb:9a:06:f4:80:41:
        1f:86:3a:c1:4f:ac:be:de:cd:2b:98:89:42:d2:04:8f:67:57:
        c4:4b:cc:e3:ca:6e:c1:ad:a8:3c:67:dc:d7:04:cc:5a:bc:41:
        54:ee:db:32:ed:62:8a:d6:b1:59:dd:32:ce:6a:25:e2:5f:8f:
        da:d9:5d:eb:76:f3:dc:9e:cf:af:2e:b8:e6:67:6e:ec:28:f3:
        7a:9f:f5:02:a3:d2:ff:25:53:71:02:a0:12:3d:8c:78:0c:6f:
        8c:e5:41:ea:67:73:52:29:55:ce:47:f3:16:dd:72:e0:b9:78:
        c3:e0:63:d8:60:c6:17:eb:8f:6e:be:f3:6b:0f:bd:ac:1f:2c:
        6e:93:ad:6e:79:92:cb:c0:c4:e0:60:b3:6a:6e:5f:c0:b6:04:
        d8:4f:06:6e:5c:ec:fa:4b:bd:92:ba:40:52:3b:a4:a1:d2:d2:
        b1:02:63:c6:2f:1d:b3:25:5c:93:fe:31:8f:5c:9c:3b:47:ba:
        64:45:fb:30:d8:10:57:6a:d1:79:6b:d0:78:3a:d9:1f:f8:df:
        2a:cd:31:4c:62:ee:f9:1f:ca:6e:91:76:77:69:26:d6:f1:3d:
        ea:9f:85:12:19:e3:4a:99:cb:93:99:5e:33:b0:66:7f:5e:6f:
        e4:aa:a7:e2:6e:2f:83:69:a2:ad:34:f5:8b:9e:c7:96:b1:26:
        b8:9d:4d:32:77:3b:ac:4d:6e:9d:fb:25:dd:15:12:98:28:b4:
        ff:f3:82:13:98:05:1c:e5:55:d5:37:48:c0:ef:ad:74:03:af:
        95:96:fa:15:9b:47:ee:13

Revision history for this message
madbiologist (me-again) wrote :

Is this still occurring with Firefox 3.0.19 or Firefox 3.6.16? If so, try updating libnss.

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

Hrm. Can’t say, we’re using a GoDaddy certificate there now. Too bad.

Sorry.

madbiologist (me-again)
Changed in firefox-3.0 (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for firefox-3.0 (Ubuntu) because there has been no activity for 60 days.]

Changed in firefox-3.0 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.