Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Ova tema je arhivirana. Pitajte drugo pitanje ako vam je potrebna pomoć.

With respect to the x509v3 Subject Alt Name, what EXACTLY is Firefox 38+ (v38.2.1- v38.4) doing in its certificate format checks?

  • 1 odgovor
  • 2 ima ovaj problem
  • 6 views
  • Posljednji odgovor poslao bergmanem

bergmanem
bergmanem
more options

Given that all other attributes in my server certificates are the same, this works (I can access my webpage): Subj: cn=my.friendlydomainname.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9

but, this doesn't: (yields "security library: improperly formatted DIR-encoded message (Error code: sec_error_bad_der)") Subj: cn=my.domain.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.ugly.fullyqualifieddomainname.com.,DNS:my.friendlydomainname.com.,DNS:my.ugly.fullyqualifieddomain.name.com,DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9

I can successfully look up all Subject Alt Names in DNS.

Is there a way to see more error detail than the simple sec_error_bad_der message?

The request comes from FF38 in either Windows 7 or CentOS 6. The web server is hosted on CentOS 6.

Given that all other attributes in my server certificates are the same, this works (I can access my webpage): Subj: cn=my.friendlydomainname.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9 but, this doesn't: (yields "security library: improperly formatted DIR-encoded message (Error code: sec_error_bad_der)") Subj: cn=my.domain.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.ugly.fullyqualifieddomainname.com.,DNS:my.friendlydomainname.com.,DNS:my.ugly.fullyqualifieddomain.name.com,DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9 I can successfully look up all Subject Alt Names in DNS. Is there a way to see more error detail than the simple sec_error_bad_der message? The request comes from FF38 in either Windows 7 or CentOS 6. The web server is hosted on CentOS 6.

All Replies (1)

bergmanem
bergmanem Vlasnik pitanja
more options

Also noticed: If FF fails the first object in the SAN list, it doesn't seem to iterate over the rest (MUST per RFC 2459). I also had a connection fail because the first name in the SAN list was not in DNS. Once it was added to DNS, I could connect.