Bug 440423

Summary:	[REHL5 U2] FireFox does not allow to override SEC_ERROR_INADEQUATE_KEY_USAGE
Product:	Red Hat Enterprise Linux 5	Reporter:	Jeff Burke <jburke>
Component:	xulrunner	Assignee:	Gecko Maintainer <gecko-bugs-nobody>
Status:	CLOSED ERRATA	QA Contact:	desktop-bugs <desktop-bugs>
Severity:	high	Docs Contact:
Priority:	low
Version:	5.2	CC:	gecko-bugs-nobody, kengert, mcepl
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	All
OS:	Linux
URL:	https://192.168.77.18/
Whiteboard:
Fixed In Version:	RHEA-2008-0479	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-05-21 14:25:08 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jeff Burke 2008-04-03 14:24:04 UTC

Description of problem:
 Looks like Firefox 3 isn't accepting self-signed certificates anymore - There
is no way to add this ip to the exception list that I have found.

Version-Release number of selected component (if applicable):
firefox-3.0-0.beta4.1.el5


How reproducible:
Always

Steps to Reproduce:
1. Open this URL https://192.168.77.18/
2.
3.
  
Actual results:
Message Displayed
"Secure Connection Failed

An error occurred during a connection to 192.168.77.18.
Certificate key usage inadequate for attempted operation.
(Error code: sec_error_inadequate_key_usage)

The page you are trying to view can not be shown because the authenticity of the
received data could not be verified.
    * Please contact the web site owners to inform them of this problem."

Expected results:
I was able to open this prior to the FF3 update

Additional info:
 -
http://forums.mozillazine.org/viewtopic.php?p=3214810&sid=83ec36b154173a769dcf000463a6b153

 -
http://groups.google.com/group/mozilla.feedback.firefox.prerelease/browse_thread/thread/885b8914a0cc9e80

Comment 1 Michal Babej 2008-04-04 13:54:53 UTC

I have just connected to a page with self-signed cert, it works in ff3 (same
version).

I think the error refers to incorrect certificate usage (e.g. some certificates
are only valid for signing emails....), but i'm no expert on ssl. Perhaps try to
generate a new certificate for server usage ?

Comment 2 Jeff Burke 2008-04-04 14:31:41 UTC

Michal,
   Did you connect to the host in "Steps to Reproduce". Were you able to create
an exception for this host https://192.168.77.18/

Comment 3 Matěj Cepl 2008-04-04 15:59:32 UTC

(In reply to comment #2)
>    Did you connect to the host in "Steps to Reproduce". Were you able to create
> an exception for this host https://192.168.77.18/

Except,
this bug is supposed to be about self-signed certificates, which is not the case
here. Here the certificates is rejected because it is defective.

True self-signed certificates work without a hitch.

Comment 4 Matěj Cepl 2008-04-04 16:10:34 UTC

Ken, what do you think?

Comment 5 Kai Engert (:kaie) (inactive account) 2008-04-04 18:04:36 UTC

While related to SSL, the required fix is not at the NSS, but at the Firefox
application level.

We can try to get it fixed. See https://bugzilla.mozilla.org/show_bug.cgi?id=427081

Comment 6 Christopher Aillon 2008-04-08 15:32:30 UTC

Moving back to firefox

Comment 12 errata-xmlrpc 2008-05-21 14:25:08 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2008-0479.html