X
Tap here to go to the mobile version of the site.

Support Forum

I am getting sec_error_extension_value_invalid - how do I fix this?

Posted

Hi I recently installed an IBM IPS device which allows you to inspect SSL traffic. The way it does this is a sort of man in the middle and this means you need to download a certificate from the device and import it into your browsers. The process is detailed here for various browsers: http://www-01.ibm.com/support/docview.wss?uid=swg27039297.

Now this works for IE and Chrome and up until a recent update Firefox. I now get the error sec_error_extension_value_invalid.

Any idea on how to resolve this?

Hi I recently installed an IBM IPS device which allows you to inspect SSL traffic. The way it does this is a sort of man in the middle and this means you need to download a certificate from the device and import it into your browsers. The process is detailed here for various browsers: http://www-01.ibm.com/support/docview.wss?uid=swg27039297. Now this works for IE and Chrome and up until a recent update Firefox. I now get the error sec_error_extension_value_invalid. Any idea on how to resolve this?

Chosen solution

Very helpful. It looks as though the CA issued by the device (XGS 4100) doesn't conform. Remediation is to lower the version of Firefox back to 28.0 which is the last version listed in the support matrix.

Read this answer in context 1

Additional System Details

Installed Plug-ins

  • ActiveTouch General Plugin Container Version 105
  • Shockwave Flash 14.0 r0
  • Google Update
  • 5.1.30214.0
  • Next Generation Java Plug-in 10.51.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • The plugin allows you to have a better experience with Microsoft Lync
  • VMware Remote Console Plug-in
  • NPWLPG
  • Adobe PDF Plug-In For Firefox and Netscape "9.4.0"

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

More Information

guigs2
  • Top 10 Contributor
  • Administrator
  • Moderator
760 solutions 8570 answers
Try this may have more information: [https://blog.mozilla.org/security/2014/05/13/checking-compliance-status-with-updated-ca-certificate-policy/]

Chosen Solution

Very helpful. It looks as though the CA issued by the device (XGS 4100) doesn't conform. Remediation is to lower the version of Firefox back to 28.0 which is the last version listed in the support matrix.

Very helpful. It looks as though the CA issued by the device (XGS 4100) doesn't conform. Remediation is to lower the version of Firefox back to 28.0 which is the last version listed in the support matrix.
cor-el
  • Top 10 Contributor
  • Moderator
12741 solutions 117103 answers

Helpful Reply

It is possible to disable this new feature by disabling libPKIX support, but of course this is not recommended for security and vulnerability reasons.

  • about:config page: security.use_mozillapkix_verification = false
It is possible to disable this new feature by disabling libPKIX support, but of course this is not recommended for security and vulnerability reasons. *<b>about:config</b> page: security.use_mozillapkix_verification = false