Closed
Bug 816495
Opened 12 years ago
Closed 11 years ago
Error code for failure to import/update CRLs that use MD5-based signatures is unclear
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: mozthun, Unassigned)
References
Details
Attachments
(1 obsolete file)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20121119183901
Steps to reproduce:
1. Import the 'Root Certificate (DER Format)' using the link on http://www.cacert.org/index.php?id=3
2. Import the corresponding CRL on the same page
(make sure it's revoke.crl and not class3-revoke.crl)
Actual results:
The following error occurs, when importing or updating the CRL:
The application cannot import the Certificate Revocation List (CRL).
Error Importing CRL to local Database. Error Code:ffffe009
Expected results:
CRL Import Status window should open with a message like:
The Certificate Revocation List (CRL) was successfully imported...
I tried with various versions of Firefox since Firefox 16 and I'm not able to reproduce the issue. Each time, the Certificate Revocation List (CRL) was successfully imported.
Do you think it could be a temporary issue?
Firefox 15.0.1 and before don't have the problem, but 16.0 to 17.0 all throwing the error. All tested with an each time new installed WinXP system image.
As the files didn't change during my tests, the behaviour changed from 15.0.1 to 16.0
Firefox 17 on Linux and Mac showing the same issue. (also Thunderbird and Seamonkey on Windows with current version)
Please make sure not to mix up Class 1 and Class 3 certificates and CRLs on the cacert page. When the corresponding certificate is not imported in Firefox, the CRL can be imported without any problem.
The "real" error code you get with Firefox/Thunderbird 16 and later when following the STR from comment 0 is actually ffffe0b0 (not ffffe009). What matters is that at least the "Trust this CA to identify websites" option is checked when importing the root certificate.
0xffffe0b0 corresponds to SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED. This issue is the consequence of bug 650355.
Kaspar is right! I made a mistake on copy&paste
Sorry guys!
Summary: Import/Update of CRLs fails on 16/17 Branch → Import/Update of CRLs fails on 16/17 Branch - ffffe0b0
The exact error message is:
The application cannot import the Certificate Revocation List (CRL).
Error Importing CRL to local Database. Error Code:ffffe0b0
Please ask your system administrator for assistance.
And in fact, the regression range is:
good=2012-07-13
bad=2012-07-14
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6489be1890c0&tochange=0602e44ac248
Not sure if it's a valid regression, but CC'ing devs.
Updated•12 years ago
|
Component: Security: PSM → Security: UI
Keywords: regression
Summary: Import/Update of CRLs fails on 16/17 Branch - ffffe0b0 → Error code for failure to import/update CRLs that use MD5-based signatures is unclear
Comment 6•12 years ago
|
||
(In reply to Loic from comment #5)
> Not sure if it's a valid regression, but CC'ing devs.
This is working as intended. It is a consequence of dropping support for MD5, which is something that all major browsers have done.
Comment 7•12 years ago
|
||
The error message
Error Importing CRL to local Database. Error Code:ffffe009
showed we are printing the error code as an unsigned hexadecimal
integer. This patch changes to print the error code as a signed
decimal integer.
Does anyone know how to print the error code's symbolic name
instead? PSM usually prints the symbolic name in all lowercase.
Attachment #687321 -
Flags: superreview?(kaie)
Attachment #687321 -
Flags: review?(bsmith)
Comment 8•12 years ago
|
||
I should clarify: printing the error code's symbolic name is probably
the fallback behavior. I think PSM prefers to print the error message
for the error code. I don't know how to do that.
Another cosmetic problem is that the space after "Error Code:" is not
printed, even though the space character exists in the source file:
http://mxr.mozilla.org/mozilla-central/source/security/manager/locales/en-US/chrome/pipnss/pipnss.properties#349
Perhaps spaces at the end of a line are ignored.
Comment 9•12 years ago
|
||
(In reply to Wan-Teh Chang from comment #7)
> Does anyone know how to print the error code's symbolic name
> instead? PSM usually prints the symbolic name in all lowercase.
1. Simplest: PR_ErrorToName()
2. nsCOMPtr<nsINSSErrorsService> errorService = do_GetService(something);
if (errorService) {
nsresult nssError;
rv = errorService->GetXPCOMFromNSSError(errorCode);
if (NS_SUCCEEDED(rv)) {
nsAutoString message;
rv = errorService->GetErrorMessage(getter_Copies(message));
if (NS_SUCCEEDED(rv)) {
errorMessage.Append(message);
}
}
}
errorMessage.Append(' ');
errorMessage.Append('(');
const char * nsprErrorName = PR_ErrorToName(errorCode);
if (nsprErrorName) {
errorMessage.Append(nsprErrorName);
} else {
errorMessage.AppendInt(errorCode);
}
errorMessage.Append(')');
Comment 10•12 years ago
|
||
- rv = errorService->GetErrorMessage(getter_Copies(message));
+ rv = errorService->GetErrorMessage(nssError, getter_Copies(message));
Comment 11•12 years ago
|
||
(In reply to Brian Smith (:bsmith) from comment #9)
Nelson would very much welcome these changes, I assume: bug 379298, bug 443435.
Comment 12•12 years ago
|
||
Comment on attachment 687321 [details] [diff] [review]
Print the error code as a signed decimal integer
Kaspar: thanks for the info. I will move this patch to bug 379298
and close bug 443435 as a duplicate.
Attachment #687321 -
Attachment is obsolete: true
Attachment #687321 -
Flags: superreview?(kaie)
Attachment #687321 -
Flags: review?(bsmith)
Comment 13•11 years ago
|
||
The CRL Manager / Revocation Lists feature was removed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•