User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/2007112718 Firefox/2.0.0.11 IE, Opera, OpenSSL work fine -- they report the mismatch of name and the fact that is self-signed but nothing more. Firefox and Mozilla give -8183 -- bad DER encoding. Unfortunately I can't make the server available but at least I can share the java keystore and the debug info from OpenSSL Reproducible: Always Steps to Reproduce: OpenSSL> s_client -host sloth -port 8445 -debug Loading 'screen' into random state - done CONNECTED(00000788) write to 0xa4f490 [0xa4f4d8] (124 bytes => 124 (0x7C)) 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../....... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................ 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@......... 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 1b 37 67 8c .............7g. 0060 - ef 88 4c 0f ed d0 00 96-b5 a0 af 7c 13 89 90 63 ..L........|...c 0070 - c2 11 59 81 8b f2 f3 0f-ef 19 d7 25 ..Y........% read from 0xa4f490 [0xa54a38] (7 bytes => 7 (0x7)) 0000 - 16 03 01 04 f5 02 ...... 0007 - <SPACES/NULS> read from 0xa4f490 [0xa54a3f] (1267 bytes => 1267 (0x4F3)) 0000 - 00 46 03 01 47 69 e4 b8-8e f1 a8 c0 1d 82 fa b0 .F..Gi.......... 0010 - 1f 63 a6 2c b0 82 5b 12-88 6d e4 45 55 b5 5d e3 .c.,..[..m.EU.]. 0020 - 2b 31 fd dd 20 47 69 e4-b8 50 91 42 a7 0b a2 3e +1.. Gi..P.B...> 0030 - 93 26 9f 2d ae 14 40 a9-f9 62 a6 4b 0b a1 f6 1c .&.-..@..b.K.... 0040 - a3 4e 5d 84 02 00 16 00-0b 00 03 16 00 03 13 00 .N]............. 0050 - 03 10 30 82 03 0c 30 82-02 75 a0 03 02 01 02 02 ..0...0..u...... 0060 - 03 00 c6 5c 30 0d 06 09-2a 86 48 86 f7 0d 01 01 ...\0...*.H..... 0070 - 04 05 00 30 81 a9 31 18-30 16 06 03 55 04 03 13 ...0..1.0...U... 0080 - 0f 6d 79 2e 6d 79 64 6f-6d 61 69 6e 2e 63 6f 6d .my.mydomain.com 0090 - 31 0b 30 09 06 03 55 04-06 13 02 55 53 31 11 30 1.0...U....US1.0 00a0 - 0f 06 03 55 04 08 13 08-6d 79 20 73 74 61 74 65 ...U....my state 00b0 - 31 10 30 0e 06 03 55 04-07 13 07 6d 79 20 63 69 1.0...U....my ci 00c0 - 74 79 31 18 30 16 06 03-55 04 0a 13 0f 6d 79 20 ty1.0...U....my 00d0 - 6f 72 67 61 6e 69 7a 61-74 69 6f 6e 31 1d 30 1b organization1.0. 00e0 - 06 03 55 04 0b 13 14 6d-79 20 6f 72 67 61 6e 69 ..U....my organi 00f0 - 7a 61 74 69 6f 6e 20 75-6e 69 74 31 22 30 20 06 zation unit1"0 . 0100 - 09 2a 86 48 86 f7 0d 01-09 01 16 13 65 6d 61 69 .*.H........emai 0110 - 6c 40 6d 79 63 6f 6d 70-61 6e 79 2e 63 6f 6d 30 l@mycompany.com0 0120 - 1e 17 0d 30 37 31 32 31-39 32 31 32 38 31 39 5a ...071219212819Z 0130 - 17 0d 30 39 31 32 31 38-32 31 32 38 31 39 5a 30 ..091218212819Z0 0140 - 81 a9 31 18 30 16 06 03-55 04 03 13 0f 6d 79 2e ..1.0...U....my. 0150 - 6d 79 64 6f 6d 61 69 6e-2e 63 6f 6d 31 0b 30 09 mydomain.com1.0. 0160 - 06 03 55 04 06 13 02 55-53 31 11 30 0f 06 03 55 ..U....US1.0...U 0170 - 04 08 13 08 6d 79 20 73-74 61 74 65 31 10 30 0e ....my state1.0. 0180 - 06 03 55 04 07 13 07 6d-79 20 63 69 74 79 31 18 ..U....my city1. 0190 - 30 16 06 03 55 04 0a 13-0f 6d 79 20 6f 72 67 61 0...U....my orga 01a0 - 6e 69 7a 61 74 69 6f 6e-31 1d 30 1b 06 03 55 04 nization1.0...U. 01b0 - 0b 13 14 6d 79 20 6f 72-67 61 6e 69 7a 61 74 69 ...my organizati 01c0 - 6f 6e 20 75 6e 69 74 31-22 30 20 06 09 2a 86 48 on unit1"0 ..*.H 01d0 - 86 f7 0d 01 09 01 16 13-65 6d 61 69 6c 40 6d 79 ........email@my 01e0 - 63 6f 6d 70 61 6e 79 2e-63 6f 6d 30 81 9f 30 0d company.com0..0. 01f0 - 06 09 2a 86 48 86 f7 0d-01 01 01 05 00 03 81 8d ..*.H........... 0200 - 00 30 81 89 02 81 81 00-da 47 0a 47 b3 63 b3 10 .0.......G.G.c.. 0210 - 16 03 ba 85 47 ac 4c 18-00 10 82 34 c6 c9 f1 30 ....G.L....4...0 0220 - 22 e4 f7 f2 4f 40 15 70-89 1a bc d1 5b e6 15 e2 "...O@.p....[... 0230 - 82 23 2f 33 cc 91 e5 c0-6f b1 57 63 44 33 dd 42 .#/3....o.WcD3.B 0240 - d2 a5 de 74 ec 93 7e 86-e5 29 6d 61 e4 2c b1 a3 ...t..~..)ma.,.. 0250 - 71 dc 71 5f 8b 76 46 d6-32 ba 75 dd a0 2c 8f 70 q.q_.vF.2.u..,.p 0260 - c5 a3 32 bb 46 e1 ae d8-75 f2 31 f7 fb ed 7b 93 ..2.F...u.1...{. 0270 - a4 b4 fd 09 df 42 31 6e-00 d6 de bd 53 99 9a 0d .....B1n....S... 0280 - 2b 2e b9 47 82 f9 1f 49-02 03 01 00 01 a3 40 30 +..G...I......@0 0290 - 3e 30 0e 06 03 55 1d 0f-01 01 ff 04 04 03 02 01 >0...U.......... 02a0 - f6 30 0c 06 03 55 1d 13-04 05 30 03 02 01 00 30 .0...U....0....0 02b0 - 1e 06 03 55 1d 11 04 17-30 15 81 13 65 6d 61 69 ...U....0...emai 02c0 - 6c 40 6d 79 63 6f 6d 70-61 6e 79 2e 63 6f 6d 30 l@mycompany.com0 02d0 - 0d 06 09 2a 86 48 86 f7-0d 01 01 04 05 00 03 81 ...*.H.......... 02e0 - 81 00 35 de 8f 7c 44 ed-50 f3 49 8f 7b ec 17 14 ..5..|D.P.I.{... 02f0 - 53 45 a4 98 98 c2 71 09-98 0b b2 0c 4b c4 18 44 SE....q.....K..D 0300 - b8 4f 3e 30 a9 21 0a aa-2c f0 75 5a a6 57 ba 35 .O>0.!..,.uZ.W.5 0310 - 1c b2 a6 9d 97 1e 82 4f-df 7e 85 ae 45 fc 5e 30 .......O.~..E.^0 0320 - 3a a4 16 36 53 08 b0 cd-e0 8b 10 42 14 21 9c 97 :..6S......B.!.. 0330 - 8d 54 54 28 b9 33 21 54-09 20 aa 6d 15 74 f4 ad .TT(.3!T. .m.t.. 0340 - dd 21 57 86 59 6a 76 9c-8b ac 7e 4e f1 d8 09 92 .!W.Yjv...~N.... 0350 - 02 2b a2 00 ca de 12 c1-4c f3 8f ad df 41 59 5e .+......L....AY^ 0360 - 5a 9f 0c 00 01 89 00 80-f4 88 fd 58 4e 49 db cd Z..........XNI.. 0370 - 20 b4 9d e4 91 07 36 6b-33 6c 38 0d 45 1d 0f 7c .....6k3l8.E..| 0380 - 88 b3 1c 7c 5b 2d 8e f6-f3 c9 23 c0 43 f0 a5 5b ...|[-....#.C..[ 0390 - 18 8d 8e bb 55 8c b8 5d-38 d3 34 fd 7c 17 57 43 ....U..]8.4.|.WC 03a0 - a3 1d 18 6c de 33 21 2c-b5 2a ff 3c e1 b1 29 40 ...l.3!,.*.<..)@ 03b0 - 18 11 8d 7c 84 a7 0a 72-d6 86 c4 03 19 c8 07 29 ...|...r.......) 03c0 - 7a ca 95 0c d9 96 9f ab-d0 0a 50 9b 02 46 d3 08 z.........P..F.. 03d0 - 3d 66 a4 5d 41 9f 9c 7c-bd 89 4b 22 19 26 ba ab =f.]A..|..K".&.. 03e0 - a2 5e c3 55 e9 2f 78 c7-00 01 02 00 80 3a 22 0c .^.U./x......:". 03f0 - bf ee 68 19 22 4f 21 1f-a6 64 7a 4d a0 d6 c4 e2 ..h."O!..dzM.... 0400 - da f6 13 25 ca bd 5b bf-df a7 65 30 6c b3 80 3e ...%..[...e0l..> 0410 - f3 19 4d 6b 2c 17 7c b2-98 f3 37 e7 a8 aa 82 ba ..Mk,.|...7..... 0420 - 7d cf 02 7e 0d 39 e4 57-0a e7 0a a5 6c 36 7b 9f }..~.9.W....l6{. 0430 - b8 79 58 46 f9 2c fd 38-f2 3e 74 96 28 62 29 6e .yXF.,.8.>t.(b)n 0440 - ad 34 14 34 7d 77 e4 33-07 c5 23 0c d8 63 92 1f .4.4}w.3..#..c.. 0450 - 1c 47 1e 49 e6 81 91 b1-24 2e 49 a9 e9 e7 6a 71 .G.I....$.I...jq 0460 - 4c ad 5b 95 6c a9 b7 67-81 99 e0 1a 3b 00 80 2f L.[.l..g....;../ 0470 - 8e 73 69 59 98 40 48 90-e2 73 4c 86 7b 0c 26 86 .siY.@H..sL.{.&. 0480 - fd 36 56 74 12 9b 20 53-90 35 7e 70 5d 86 2f 9a .6Vt.. S.5~p]./. 0490 - 8b 33 de ec ae f9 88 43-26 67 9d 2b 74 39 43 45 .3.....C&g.+t9CE 04a0 - 73 2b f8 d6 c4 e9 99 68-da db 1b 79 f5 28 b0 21 s+.....h...y.(.! 04b0 - 2d 2b 87 31 8d 90 75 a9-0f 35 dd 40 fc 15 1d f6 -+.1..u..5.@.... 04c0 - 1b ea d4 68 23 2a 58 f1-5e 79 cc 28 89 b8 f1 53 ...h#*X.^y.(...S 04d0 - 05 9c d0 cb 9e 9a ca c4-19 17 7e 12 3e 4d 39 a9 ..........~.>M9. 04e0 - 8a ef 0c a6 f5 f5 58 f1-b5 1c 79 ce 0c 31 60 0e ......X...y..1`. 04f3 - <SPACES/NULS> depth=0 /CN=my.mydomain.com/C=US/ST=my state/L=my city/O=my organization/OU=my organization unit/emailAddress=email@myco mpany.com verify error:num=18:self signed certificate verify return:1 depth=0 /CN=my.mydomain.com/C=US/ST=my state/L=my city/O=my organization/OU=my organization unit/emailAddress=email@mycompany.com verify return:1 write to 0xa4f490 [0xa5ed48] (139 bytes => 139 (0x8B)) 0000 - 16 03 01 00 86 10 00 00-82 00 80 c2 cc 82 62 f9 ..............b. 0010 - 08 d0 83 2e 5a 05 cd dd-fa 61 ca 16 5f 7d d9 3a ....Z....a.._}.: 0020 - 3c 2f ea dd 91 77 73 95-9e c4 8c c4 ca 1d 82 9d </...ws......... 0030 - 9c 57 58 8b 1e 26 5a ba-b5 32 86 6c 4f 9f c5 f5 .WX..&Z..2.lO... 0040 - 03 81 f3 68 fe e0 17 f3-e0 8f 89 39 a1 a3 4c 68 ...h.......9..Lh 0050 - da da a1 03 3d 6c 4c 45-ac cd 05 10 c5 21 a1 37 ....=lLE.....!.7 0060 - 63 3a 2a 8e b8 a2 f9 9d-02 67 76 b3 35 a3 36 a0 c:*......gv.5.6. 0070 - a1 28 ff 8a e2 13 92 4c-f1 6a b8 eb db 25 ce 90 .(.....L.j...%.. 0080 - 30 a2 30 18 a3 ed af 70-4e 86 94 0.0....pN.. write to 0xa4f490 [0xa5ed48] (6 bytes => 6 (0x6)) 0000 - 14 03 01 00 01 01 ...... write to 0xa4f490 [0xa5ed48] (45 bytes => 45 (0x2D)) 0000 - 16 03 01 00 28 68 a2 3f-75 ad 1b 12 f0 a3 98 c2 ....(h.?u....... 0010 - 47 f8 2d 48 53 db 99 c9-c6 cd ca 53 8c f4 c8 b9 G.-HS......S.... 0020 - c5 bf 67 07 9d cc 50 b9-d8 98 72 93 17 ..g...P...r.. read from 0xa4f490 [0xa54a38] (5 bytes => 5 (0x5)) 0000 - 14 03 01 00 01 ..... read from 0xa4f490 [0xa54a3d] (1 bytes => 1 (0x1)) 0000 - 01 . read from 0xa4f490 [0xa54a38] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 28 ....( read from 0xa4f490 [0xa54a3d] (40 bytes => 40 (0x28)) 0000 - 90 89 99 12 16 ec f2 bc-b9 67 62 6f 6f 83 4b b0 .........gboo.K. 0010 - b7 a2 b2 67 e9 07 b5 76-af c1 2e a9 54 b1 9d 55 ...g...v....T..U 0020 - d8 ad 62 4b 06 66 e7 1a- ..bK.f.. --- Certificate chain 0 s:/CN=my.mydomain.com/C=US/ST=my state/L=my city/O=my organization/OU=my organization unit/emailAddress=email@mycompany.com i:/CN=my.mydomain.com/C=US/ST=my state/L=my city/O=my organization/OU=my organization unit/emailAddress=email@mycompany.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDDDCCAnWgAwIBAgIDAMZcMA0GCSqGSIb3DQEBBAUAMIGpMRgwFgYDVQQDEw9t eS5teWRvbWFpbi5jb20xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhteSBzdGF0ZTEQ MA4GA1UEBxMHbXkgY2l0eTEYMBYGA1UEChMPbXkgb3JnYW5pemF0aW9uMR0wGwYD VQQLExRteSBvcmdhbml6YXRpb24gdW5pdDEiMCAGCSqGSIb3DQEJARYTZW1haWxA bXljb21wYW55LmNvbTAeFw0wNzEyMTkyMTI4MTlaFw0wOTEyMTgyMTI4MTlaMIGp MRgwFgYDVQQDEw9teS5teWRvbWFpbi5jb20xCzAJBgNVBAYTAlVTMREwDwYDVQQI EwhteSBzdGF0ZTEQMA4GA1UEBxMHbXkgY2l0eTEYMBYGA1UEChMPbXkgb3JnYW5p emF0aW9uMR0wGwYDVQQLExRteSBvcmdhbml6YXRpb24gdW5pdDEiMCAGCSqGSIb3 DQEJARYTZW1haWxAbXljb21wYW55LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA2kcKR7NjsxAWA7qFR6xMGAAQgjTGyfEwIuT38k9AFXCJGrzRW+YV4oIj LzPMkeXAb7FXY0Qz3ULSpd507JN+huUpbWHkLLGjcdxxX4t2RtYyunXdoCyPcMWj MrtG4a7YdfIx9/vte5OktP0J30IxbgDW3r1TmZoNKy65R4L5H0kCAwEAAaNAMD4w DgYDVR0PAQH/BAQDAgH2MAwGA1UdEwQFMAMCAQAwHgYDVR0RBBcwFYETZW1haWxA bXljb21wYW55LmNvbTANBgkqhkiG9w0BAQQFAAOBgQA13o98RO1Q80mPe+wXFFNF pJiYwnEJmAuyDEvEGES4Tz4wqSEKqizwdVqmV7o1HLKmnZcegk/ffoWuRfxeMDqk FjZTCLDN4IsQQhQhnJeNVFQouTMhVAkgqm0VdPSt3SFXhllqdpyLrH5O8dgJkgIr ogDK3hLBTPOPrd9BWV5anw== -----END CERTIFICATE----- subject=/CN=my.mydomain.com/C=US/ST=my state/L=my city/O=my organization/OU=my organization unit/emailAddress=email@mycompany.com issuer=/CN=my.mydomain.com/C=US/ST=my state/L=my city/O=my organization/OU=my organization unit/emailAddress=email@mycompany.com --- No client certificate CA names sent --- SSL handshake has read 1325 bytes and written 314 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 4769E4B8509142A70BA23E93269F2DAE1440A9F962A64B0BA1F61CA34E5D8402 Session-ID-ctx: Master-Key: 7338D0265A02875CD51247731F62E77C4F0CEF4CB255017A324D6E386D408A9BE98CBB7091F68A03C7CF03CC81DA8241 Key-Arg : None Start Time: 1198122211 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- read from 0xa4f490 [0xa54a38] (5 bytes => 5 (0x5)) 0000 - 15 03 01 00 18 ..... read from 0xa4f490 [0xa54a3d] (24 bytes => 24 (0x18)) 0000 - 66 17 8a e5 b8 75 c2 49-71 eb 21 78 40 69 63 c6 f....u.Iq.!x@ic. 0010 - 3e 71 dc 67 a4 7f 0b 14- >q.g.... closed write to 0xa4f490 [0xa59248] (29 bytes => 29 (0x1D)) 0000 - 15 03 01 00 18 c2 43 81-87 ad cb 5d 7a cc ac 3d ......C....]z..= 0010 - ed 60 b3 97 cc 0f 54 9f-59 f0 29 27 d0 .`....T.Y.)'. OpenSSL> Expected Results: warn of self-signed (unknown CA) and mismatched name only.

The password is 'tomcat' (remove quotes)

This cert violates RFC 3280 section 4.2.1.0, and NSS correctly declares it invalid. I could declared this bug invalid, but instead I'll dup it to an RFE that asks that we relax our requirement for strict standards compliance. We're probably not going to do that either, but at least these issues will be tied together.

I wrote: > This cert violates RFC 3280 section 4.2.1.0, Make that 4.2.1.10. Sorry for the typo.

I already read http://rfc.net/rfc3280.html#s4.2.1.10 You're right. I can only say that maybe the original error message could have been more helpful.