Signature Algorithm: sha512WithRSAEncryption Openssl x509 -text -in serverCert.pem -noout produces this: Ideally, we'd return the SEC_ERROR_CERT_NOT_IN_NAME_SPACE error instead of SEC_ERROR_BAD_DER during name constraint checking, to help people understand why things went wrong when they go wrong, but that can be done in a follow-up bug.
#Powerchute business edition login default windows
indicates that Windows doesn't support iPAddress subjectAltName and Microsoft recommends (not just on that page, but elsewhere) that dNSName be used for IP addresses instead. I agree that is probably the best course of action. > effectively skip malformed entries if they appear after a match). > without compromising security too much (particularly since we currently > constraints? I think that would address the immediate compatibility concerns > the purposes of CheckCertHostname but still fail with ERROR_BAD_DER for name > Brian, would it be sensible to just skip malformed DNSName SAN entries for (In reply to David Keeler (use needinfo?) from comment #13) Conversely, if it is safe to have invalid dNSName entries at the end, then it should be OK to have invalid dNSName entries everywhere. If it is important that we reject invalid dNSName entries, then we should check the syntax of all of them. It seems wrong to me that the order matters. Thus, the order of the invalid dNSName entries relative to other entries matters. > and who would decide? Brian would that be you or maybe David?īased on Aureliano Pato Gozzi's comment and other comments I've read, it seems we strictly check the syntax of every dNSName entry until we find a matching one, and then avoid checking the rest. * There are simple workarounds that the site owner can use to fix the problem. Most websites don't have any need for IP addresses in their certificates. * Not many sites seem to be affected by this. The more such workarounds we implement, the more likely it is we do something that makes Firefox less safe. This is more about whether we want to implement a workaround to help non-compliant certificates keep working. * The certs are non-compliant with the specification that defines how certificates work. > Brian, how far back does this affect Firefox?
(In reply to Liz Henry (:lizzard) from comment #9) Is there a way to whitelist sites with these types Subject Alternative Name entries either globally (always allow) or manually (add each site separately)? there is no "add exception" button on the "Secure Connection Failed" error page that would allow overwrite. It looks like it is being caused by same problem where IP addresses are listed in the DNS fields. > TLS Web Client Authentication, TLS Web Server Authentication > Subject: CN=, O=Generated by IBM Firmware, C=US, ST=TX, L=Austin
> Signature Algorithm: sha1WithRSAEncryption When checking the certificate generated by the IMM, i see following: security library: improperly formatted DER-encoded message. "An error occurred during a connection to host-imm. I have multiple devices that (server IMM modules) that are no longer accessible as of the latest update.
I'm seeing similar issues on Nightly 40.0a1 ()
0 kommentar(er)
