User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 Build ID: 20121119183901 Steps to reproduce: 1. Import the 'Root Certificate (DER Format)' using the link on http://www.cacert.org/index.php?id=3 2. Import the corresponding CRL on the same page (make sure it's revoke.crl and not class3-revoke.crl) Actual results: The following error occurs, when importing or updating the CRL: The application cannot import the Certificate Revocation List (CRL). Error Importing CRL to local Database. Error Code:ffffe009 Expected results: CRL Import Status window should open with a message like: The Certificate Revocation List (CRL) was successfully imported...

I tried with various versions of Firefox since Firefox 16 and I'm not able to reproduce the issue. Each time, the Certificate Revocation List (CRL) was successfully imported. Do you think it could be a temporary issue?

Firefox 15.0.1 and before don't have the problem, but 16.0 to 17.0 all throwing the error. All tested with an each time new installed WinXP system image. As the files didn't change during my tests, the behaviour changed from 15.0.1 to 16.0 Firefox 17 on Linux and Mac showing the same issue. (also Thunderbird and Seamonkey on Windows with current version) Please make sure not to mix up Class 1 and Class 3 certificates and CRLs on the cacert page. When the corresponding certificate is not imported in Firefox, the CRL can be imported without any problem.

The "real" error code you get with Firefox/Thunderbird 16 and later when following the STR from comment 0 is actually ffffe0b0 (not ffffe009). What matters is that at least the "Trust this CA to identify websites" option is checked when importing the root certificate. 0xffffe0b0 corresponds to SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED. This issue is the consequence of bug 650355.

Kaspar is right! I made a mistake on copy&paste Sorry guys!

The exact error message is: The application cannot import the Certificate Revocation List (CRL). Error Importing CRL to local Database. Error Code:ffffe0b0 Please ask your system administrator for assistance. And in fact, the regression range is: good=2012-07-13 bad=2012-07-14 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6489be1890c0&tochange=0602e44ac248 Not sure if it's a valid regression, but CC'ing devs.

(In reply to Loic from comment #5) > Not sure if it's a valid regression, but CC'ing devs. This is working as intended. It is a consequence of dropping support for MD5, which is something that all major browsers have done.

The error message Error Importing CRL to local Database. Error Code:ffffe009 showed we are printing the error code as an unsigned hexadecimal integer. This patch changes to print the error code as a signed decimal integer. Does anyone know how to print the error code's symbolic name instead? PSM usually prints the symbolic name in all lowercase.

I should clarify: printing the error code's symbolic name is probably the fallback behavior. I think PSM prefers to print the error message for the error code. I don't know how to do that. Another cosmetic problem is that the space after "Error Code:" is not printed, even though the space character exists in the source file: http://mxr.mozilla.org/mozilla-central/source/security/manager/locales/en-US/chrome/pipnss/pipnss.properties#349 Perhaps spaces at the end of a line are ignored.

(In reply to Wan-Teh Chang from comment #7) > Does anyone know how to print the error code's symbolic name > instead? PSM usually prints the symbolic name in all lowercase. 1. Simplest: PR_ErrorToName() 2. nsCOMPtr<nsINSSErrorsService> errorService = do_GetService(something); if (errorService) { nsresult nssError; rv = errorService->GetXPCOMFromNSSError(errorCode); if (NS_SUCCEEDED(rv)) { nsAutoString message; rv = errorService->GetErrorMessage(getter_Copies(message)); if (NS_SUCCEEDED(rv)) { errorMessage.Append(message); } } } errorMessage.Append(' '); errorMessage.Append('('); const char * nsprErrorName = PR_ErrorToName(errorCode); if (nsprErrorName) { errorMessage.Append(nsprErrorName); } else { errorMessage.AppendInt(errorCode); } errorMessage.Append(')');

- rv = errorService->GetErrorMessage(getter_Copies(message)); + rv = errorService->GetErrorMessage(nssError, getter_Copies(message));

(In reply to Brian Smith (:bsmith) from comment #9) Nelson would very much welcome these changes, I assume: bug 379298, bug 443435.

Comment on attachment 687321 [details] [diff] [review] Print the error code as a signed decimal integer Kaspar: thanks for the info. I will move this patch to bug 379298 and close bug 443435 as a duplicate.

The CRL Manager / Revocation Lists feature was removed.