www.iad.gov shows ERR_CERT_INVALID on Mac but not Windows
Project Member Reported by email@example.com, Sep 9 2017
Chrome Version: 63.3210 What steps will reproduce the problem? (1) Visit https://www.iad.gov EXPECT: Error interstitial with override option. ACTUAL: Error interstitial without override option. Net-internals log shows ERR_CERT_INVALID on Mac, but not Windows; on Windows, click-through is permitted. The certificate has Serial number "5153"; https://crt.sh/?id=16210158&opt=x509lint,cablint%C2%A0%E2%80%A6 shows a few warnings, but none are obviously fatal. Perhaps fallout from Mac certificate validation changes in https://chromium.googlesource.com/chromium/src/+/4cede8d39db10321b053c0d9776cf6b23f290310?
Sep 12 2017,
Not related to use_byte_certs. SecTrustGetResult is showing a CSSMERR_TP_INVALID_CERTIFICATE error on the target cert statuscode from SecTrustGetResult and on the overall SecTrustGetCssmResultCode. I'm not sure what it doesn't like about it.
Matt: Do you have any bandwdith to chase this down? Safari provides this as untrusted with click-through, but I'm not clear if they're masking off TP_INVALID_CERTIFICATE. Keychain can also display/parse the chain, at least on 10.12.6 While tempted to close this as WontFix, parsing it as invalid is undesirable.
Poked a bit more. If I remove the policyConstraints (with requireExplicitPolicy) on the intermediate, the CSSMERR_TP_INVALID_CERTIFICATE goes away and we just get ERR_CERT_AUTHORITY_INVALID as expected. Attached two hacked-up cert chains. 1: has caIssuers removed from AIA, and re-signed with new keys. 2: same as 1, plus with policyConstraints removed from the intermediate cert. chain 1 still gets the CSSMERR_TP_INVALID_CERTIFICATE error. chain 2 does not.
Sign in to add a comment