Ubuntu
firefox-3.0 package

[regression] Firefox "sec_error_bad_der"

Bug #342834 reported by Fridtjof Busse
86
Affects Status Importance Assigned to Milestone
firefox-3.0 (Ubuntu)
Fix Released
Undecided
Unassigned
openssl (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: firefox

Firefox in the current jaunty does not connect to a SSL site that works just fine on intrepid with the error "sec_error_bad_der".
It may well be that there's an error somewhere in the cert, but as intrepid works this is a regression, as both releases use the same browser. Maybe a change in xulrunner?
If you need the problematic website, please just send me an email as I'd rather not put the URL into a public bugreport.

Revision history for this message
Jacob Peddicord (jpeddicord) wrote :

Thank you for your bug report. It is possible that you have installed the certificate (or an exception) on your browser on Intrepid and not on Jaunty. I have marked this report as private, so you may post the URL here if you like -- if not, feel free to email it to me (<email address hidden>) and I'll see if it is indeed an issue. Thanks!

Revision history for this message
Jacob Peddicord (jpeddicord) wrote :

Scratch the private note; these still get mirrored to a public location. Email is fine, sorry for the confusion.

Revision history for this message
Jacob Peddicord (jpeddicord) wrote :

I can confirm this issue using an old Hardy system, though I'm not entirely sure where the problem lies or whether the breakage is intentional (ie, the SSL library is now enforcing some policy).

Using firefox-3.0 and firefox-3.1 on jaunty, I get "security library: improperly formatted DER-encoded message" with *no* option to add an exception or connect to the site at all. On the hardy machine, the error is "ssl_error_bad_cert_domain" stating that the domain on the certificate and the domain being used do not match. However, closer inspection reveals that, according to the certificate, they *do.* This could mean that the certificate/ca-cert is indeed corrupt.

I also tested the URL with wget. On jaunty: "Unable to locally verify the issuer's authority." On hardy: "Unable to get local issuer certificate." I'll leave this bug open so someone else may look at it, but it almost seems that the newer SSL library is only using a better error-checking mechanism and that certificate really is bad.

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 342834] Re: [regression] Firefox "sec_error_bad_der"

On Sun, Mar 15, 2009 at 02:22:49AM -0000, Jacob Peddicord wrote:
> ** Visibility changed to: Private
>
 this isnt private. open it up again. thanks!

 - Alexander

Revision history for this message
Jacob Peddicord (jpeddicord) wrote :

Alexander:

It's been opened previously, sorry for the confusion.

John Vivirito (gnomefreak)
Changed in firefox-3.0 (Ubuntu):
status: New → Incomplete
Changed in openssl (Ubuntu):
status: New → Incomplete
Revision history for this message
xteejx (xteejx) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. We are sorry that we do not always have the capacity to look at all reported bugs in a timely manner. There have been many changes in Ubuntu since that time you reported the bug and your problem may have been fixed with some of the updates. If you could test the current Ubuntu development version, this would help us a lot. If you can test it, and it is still an issue, we would appreciate if you could upload updated logs by running apport-collect <bug #>, and any other logs that are relevant for this particular issue.

Revision history for this message
Fridtjof Busse (fbusse-deactivatedaccount-deactivatedaccount) wrote :

Problem seems to be fixed on lucid

Revision history for this message
xteejx (xteejx) wrote :

Brilliant, thank you for the update.

Changed in firefox-3.0 (Ubuntu):
status: Incomplete → Fix Released
Changed in openssl (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.