Should allow sites with improper self-signing keys anyway [snow.centralticket.de]

[GoogleCodeExporter]

Reported through Report-A-Bug:

additional_notes_required => Why do I alsways get the error quote that the 
certificate used in above site is invalid or currupted (-8102)
relevant_url => https://snow.centralticket.de

When the certificate is examined, it is self-signed. We should either:

- Offer to let the user connect (unfortunately, this will need strings)

- Make sure the cert *is* reasonable

This should probably go into 9.2.2.

Original issue reported on code.google.com by classi...@floodgap.com on 20 Feb 2011 at 5:03

[GoogleCodeExporter]

The certificate works with OS X 10.4-10.6 so it should be reasonable.

Original comment by jacob...@gmail.com on 21 Feb 2011 at 4:49

[GoogleCodeExporter]

-8102 = BASE+90 = sec_error_inadequate_key_usage

This is in fact what Firefox 4 also reports. So NSS is not the problem; we just 
need to allow the user to use the cert. However, the cert is technically bad -- 
the key in question should not be used to sign it.

Original comment by classi...@floodgap.com on 7 Mar 2011 at 1:23

[GoogleCodeExporter]

Two changes needed. To PIPNSS/nsNSSIOLayer.cpp::nsContinueDespiteCertError, to 
the switch list of error conditions that will prompt the dialogue, added 
SEC_ERROR_INADEQUATE_KEY_USAGE. However, NSS will still fail because it does 
not know to check the trust chain in that case, so to 
NSS/certvfy.c::CERT_VerifyCert,

    if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess
        && !cert->trust ) { // Classilla issue 156
    PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
    LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);

Verified working against example site.

Original comment by classi...@floodgap.com on 7 Mar 2011 at 2:39

• Changed title: Should allow sites with improper self-signing keys anyway [snow.centralticket.de]
• Changed state: Verified