New issue
Advanced search Search tips

Issue 780449 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Nov 2017
Cc:
thomasanderson@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Self-signed certificate with Extended Key Usage results in SEC_ERROR_INADEQUATE_CERT_TYPE and ERR_CERT_INVALID

Reported by azelenc...@plesk-team.com, Nov 1 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 OPR/48.0.2685.35

Steps to reproduce the problem:
1. Generate self-signed certificate with `X509v3 Extended Key Usage`: `TLS Web Server Authentication` specified. (Try [cert_eKU=serverAuth.pem] or [cert_eKU=serverAuth,anyExtendedKeyUsage.pem] attached.)
2. Run a web server, and configure SSL/TLS to use this certificate.
3. Visit this server in Chrome via HTTPS.

What is the expected behavior?
Chrome shows `NET::ERR_CERT_AUTHORITY_INVALID` error (and allows to proceed unsafe).
See [expected.png] attached (this screen shot is on Windows).

What went wrong?
Chrome for Linux shows `NET::ERR_CERT_INVALID` error (and does NOT allow to proceed unsafe).
See [actual.png] attached.

Log:
~~~
[6842:6941:1030/160442.163762:ERROR:cert_verify_proc_nss.cc(921)] CERT_PKIXVerifyCert for 10.52.50.174 failed err=-8101
~~~
(Code `-8101` corresponds to [SEC_ERROR_INADEQUATE_CERT_TYPE](https://hg.mozilla.org/projects/nss/file/1009afe4faa9/lib/util/secerr.h#l110).)

Did this work before? N/A 

Chrome version: 62.0.3202.75  Channel: stable
OS Version: CentOS Linux release 7.2.1511 (Core)
Flash Version: 

Chrome for Ubuntu/Debian is also affected.
Chrome for Windows works OK.
Certificate with no Extended Key Usage (e.g. [cert_no_eKU.pem]) works OK.

https://chromium.googlesource.com/chromium/deps/nss/
> ... the Linux and Chromium OS ports of Chromium do use a system copy NSS for certificate verification ...

I am not sure whether the problem is in Chromium or NSS.
`nss-3.28.4-15.el7_4.x86_64` is installed on my system.
actual.png
64.5 KB View Download
expected.png
56.9 KB View Download
cert_eKU=serverAuth.pem
5.5 KB Download
cert_eKU=serverAuth,anyExtendedKeyUsage.pem
5.5 KB Download
cert_no_eKU.pem
5.4 KB Download

Comment 1 by manoranj...@chromium.org, Nov 1 2017

Cc: thomasanderson@chromium.org
Components: Internals>Network>SSL

Comment 2 by davidben@chromium.org, Nov 1 2017

Components: -Internals>Network>SSL Internals>Network>Certificate

Comment 3 by eroman@chromium.org, Nov 1 2017

Status: WontFix (was: Unconfirmed)
NSS looks at the EKU in conjunction with the basic constraints.

In this case Basic Constraints says it is a CA, however you are trying to use it as an end entity TLS server cert.

Either remove the basic Constraints, or remove EKU.

This  cert has other issues too, like not including a SAN (so will likely fail with ERR_COMMON_NAME_INVALID anyway).

Comment 4 by azelenc...@plesk-team.com, Nov 3 2017 

Thank you!

Comment 5 by azelenc...@plesk-team.com, Nov 20 2017 

Nevertheless, what do you think of <https://tools.ietf.org/html/rfc5280#section-4.2.1.12>:

> ... Certificate using
> applications MAY require that the extended key usage extension be
> present and that a particular purpose be indicated in order for the
> certificate to be acceptable to that application.
>
> If a CA includes extended key usages to satisfy such applications,
> but does not wish to restrict usages of the key, *the CA can include
> the special KeyPurposeId anyExtendedKeyUsage in addition to the
> particular key purposes required by the applications.*

It looks like [cert_eKU=serverAuth,anyExtendedKeyUsage.pem] should work OK.

Sign in to add a comment