New issue
Advanced search Search tips

Issue 797203 link

Starred by 2 users
Status: Duplicate
Merged: issue 769771
Owner: ----
Closed: Dec 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

ERR_SSL_SERVER_CERT_BAD_FORMAT for certificate with invalid time

Reported by kennario...@gmail.com, Dec 22 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

Steps to reproduce the problem:
When visiting an HTTPS site SSL certificate generated by OPENSSL, ERR_SSL_SERVER_CERT_BAD_FORMAT is displayed without further explanation

What is the expected behavior?
Able to open properly the website

What went wrong?
Sample SSL certificate:

-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgYExCzAJBgNVBAYTAlBI
MQwwCgYDVQQIDANOQ1IxGDAWBgNVBAcMD011bnRpbmx1cGEgQ2l0eTEvMC0GA1UE
CgwmSW5zdWxhciBMaWZlIEFzc3VyYW5jZSBDb21wYW55IExpbWl0ZWQxGTAXBgNV
BAMMEEluc3VsYXIgUHJveHkgQ0EwJhgRMjAxNzEyMDEwMDAwLTA4MDAYETIwMjgx
MjAxMDAwMC0wODAwMCIxIDAeBgNVBAMMF2JsdWVjb2F0Lmluc3VsYXIuY29tLnBo
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7BoG+Bw9PpZS1AUXfAah
rpCoug8te8cMhOxEejBrxsNO2LdF3Xbi1mXs6z6IdTqayJVLTE8LuwqFIKLSxyA0
BjcyvcyE+ZkA/9skpc/wKHtWmvgDVcukqiHMuHTzR2HiitTEpGlP9NSq0PrWT2ew
GELsC4m09CTc8qQaHdyJnqwLbjvjYM5FNGAdGmvv51yjtIi9X3Ql1L1w5nK1W0AO
dMGeieGREYo0SElhDWf8YBX262h500v+7x6XoOPPNJY2GzL1OH6b+EVn0+L7dIt3
HlpqytGz61z5i+sGnXcAeim04iCSIZVr9nNNhkc3wfY7CTX+W367aVzxFauWRcGC
rQIDAQABo4GxMIGuMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUbeN51msK8V778kdzehUlbPhwAI8wCQYD
VR0TBAIwADAdBgNVHQ4EFgQUhIzVpuZiu2vw39+n9hxQZ06hRSMwMgYDVR0RBCsw
KYIXYmx1ZWNvYXQuaW5zdWxhci5jb20ucGiCDmluc3VsYXIuY29tLnBoMA0GCSqG
SIb3DQEBCwUAA4IBAQCejB+w60qmacpH1W2AN9yR5APcXUZU7N/vrnvgBmtWRVFI
w3mtsJ/nNaGP0iZErTWkMptwUvFJkVWz++qngchHP1UMx/AVBrE+Sv+ZbAlnGvie
uxuvlShwqzAAran2OtZMaja6eLe6306MwEWt6N98a+KSMqGnFm7TRKur/HVszwPP
d4RDBP6VrxS6vKpWQieOh5xX1QKMUH91EHUDcP0Bv7YndHuMT4f1zrEhcSIoJ3kZ
0dmdky/gx/9g4P9gsmQgfAbPI07EQ0lyo/k4aK6sPrYVVOwC5mHmTk9XSMXZRsxh
rtMjRNqyt/7AMKSNhuYQMFBdfyCgZqQklJSj+57T
-----END CERTIFICATE-----

Did this work before? Yes 58

Chrome version: 63.0.3239.84  Channel: n/a
OS Version: 10.0
Flash Version:

Comment 1 by elawrence@chromium.org, Dec 22 2017

Components: Internals>Network>Certificate
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
This certificate has a number of validation problems. Of them, I expect that the incorrectly formatted date is the culprit.

cablint	ERROR	BR certificates must be 39 months in validity or less
cablint	ERROR	BR certificates must include certificatePolicies
cablint	ERROR	Generalized Time before 2050
cablint	ERROR	Generalized Time without seconds or with fractional seconds
cablint	ERROR	Time not in Zulu/GMT
cablint	WARNING	Certificate does not include authorityInformationAccess. BRs require OCSP stapling for this certificate.
cablint	WARNING	NotDER in Certificate
cablint	WARNING	Serial numbers should have at least 20 bits of entropy
cablint	INFO	TLS Server certificate identified
x509lint	ERROR	Invalid time format
x509lint	ERROR	no authorityInformationAccess extension
x509lint	ERROR	No OCSP over HTTP
x509lint	ERROR	No policy extension
x509lint	WARNING	No HTTP URL for issuing certificate
x509lint	INFO	Subject has a deprecated CommonName
x509lint	INFO	Unknown validation policy
zlint	FATAL	parsing time "201712010000-0800" as "20060102150405Z0700": cannot parse "-0800" as "05"

Comment 2 by elawrence@chromium.org, Dec 22 2017

Mergedinto: 769771
Status: Duplicate (was: Unconfirmed)
Summary: ERR_SSL_SERVER_CERT_BAD_FORMAT for certificate with invalid time (was: ERR_SSL_SERVER_CERT_BAD_FORMAT)

Comment 3 by kennario...@gmail.com, Dec 28 2017 

What tool do you use to check this?  I re-created the certs.  Can you evaluate?

-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIIff/1/ubgUN4wDQYJKoZIhvcNAQELBQAwgYExCzAJBgNV
BAYTAlBIMQwwCgYDVQQIDANOQ1IxGDAWBgNVBAcMD011bnRpbmx1cGEgQ2l0eTEv
MC0GA1UECgwmSW5zdWxhciBMaWZlIEFzc3VyYW5jZSBDb21wYW55IExpbWl0ZWQx
GTAXBgNVBAMMEEluc3VsYXIgUHJveHkgQ0EwIhgPMjAxNzEyMDEwMDAwMDBaGA8y
MDI4MTIwMTAwMDAwMFowgYExCzAJBgNVBAYTAlBIMQwwCgYDVQQIDANOQ1IxGDAW
BgNVBAcMD011bnRpbmx1cGEgQ2l0eTEvMC0GA1UECgwmSW5zdWxhciBMaWZlIEFz
c3VyYW5jZSBDb21wYW55IExpbWl0ZWQxGTAXBgNVBAMMEEluc3VsYXIgUHJveHkg
Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFxDjZBlOtbuV70E3h
ACStYoKDTxFZyqhEdIkdR1C4pnFsBwM5baub1O2RAWOn4PoALgyaG7tUFEvY1M4X
wKCOYHqRWby6GRPIG8I0crDPq23ewjYr6Nx0XsaHsyCWP07W2gcZ297f1bClToo2
IqQy1voRNfh75XDxWAJIBNoU940SxFRaPPofivLL+ZyBmYlk4RwjLa8BKemDYw7N
sEuzTEQiZx4LfXrwAm3hIhn0HUQu5FjuyhBdOotF73QNoeAZ2YxznOLQ6jK/8rP+
TzIsaNg76chmvp9JlzaEvyxi1U8+Jy0pfoFbxmcxgw8IybA3ntAMuuOy8qXTptsk
bvNJAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBQ9qvkG6aK9Siyk9ofmlDNfQrJcqTAfBgNVHSMEGDAWgBQ9qvkG6aK9
Siyk9ofmlDNfQrJcqTANBgkqhkiG9w0BAQsFAAOCAQEAhf+Q4GcSPZGwykRwjGEQ
O3irqmRiD35mfF3oWs70nt0uyfl4kMmxpmCGZgxSNCpIqPZMiiDH6owMnftuhkZ4
Wqbsc5Eqlcg10GLZS1UgPMdL1kpADFcPafV9RzwwcQnJ99nY8VbhWN/Zqi81WT/D
6HqX+BCaw0R2jN3lC7PJgqfp+pInv6/1Uq64IHMqBIUizLZn5FMQDTc+1X66XbZw
ipUbf8exUU6OCxxrpFXWC1FrbkFLf1Afl1GTRsNakpEucuVZxWvJ316jurQaAHve
fGqw8vKdWRpwaS5K4HKvCAaM4hjKa30aNl64PcrnE05qO+PuiHlxeY8ViaCgBpKA
OA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIIff/1/ubgUN8wDQYJKoZIhvcNAQELBQAwgYExCzAJBgNV
BAYTAlBIMQwwCgYDVQQIDANOQ1IxGDAWBgNVBAcMD011bnRpbmx1cGEgQ2l0eTEv
MC0GA1UECgwmSW5zdWxhciBMaWZlIEFzc3VyYW5jZSBDb21wYW55IExpbWl0ZWQx
GTAXBgNVBAMMEEluc3VsYXIgUHJveHkgQ0EwIhgPMjAxNzEyMDEwMDAwMDBaGA8y
MDI4MTIwMTAwMDAwMFowIjEgMB4GA1UEAwwXYmx1ZWNvYXQuaW5zdWxhci5jb20u
cGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7cjrY6SKO9pmyW9iU
KMSCMrOK+11GJgICbJs6nBLsym+idIYyNgF7Qw5V7/fIxJQei9/0izcdhI6vaNZ7
NCKlO3mbc1P6n6uFEA46VO2/mf7h0dW1i4KIwn2n2Myg27wEphrMrRQvFNyYKAgU
tpQbXgcHw0AEerhVslpQsngv2zea6w78VKt222EGQ4wVmxmE4zfktbPOpKkHTblX
ryThdUDv48xi4YycuwdRjThNmtDM64SFIu5EX++KYnmGZB0sy9qp9UCh7nmUwAAZ
mKFR/Jfkh9/FXNoAsiE8FfuJDvxDw9F7BDKntVtpcYKcgBxB/vdK0RVMcsNpADBf
nSo1AgMBAAGjgbQwgbEwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFD2q+Qbpor1K
LKT2h+aUM19CslypMB0GA1UdDgQWBBSmlqPaQaa0Smzm8DekQaYDOdJuCDAyBgNV
HREEKzApghdibHVlY29hdC5pbnN1bGFyLmNvbS5waIIOaW5zdWxhci5jb20ucGgw
DQYJKoZIhvcNAQELBQADggEBALufLw3eofwno8dDQAIITLsdEplHqwq49aOqsOU/
IxhibCd3cA9VbrR49fRzT7fycZj/UMiHpcEcIlqwEqWWbYQHiBKelTMQl17O4Dgh
65owyc+Jy6nRsIThErDE+4Mb9sFkrf0C9ivGaRWiMncjDlFx1Gvlqc1XZXCCuYzq
hoN8ESXwi5Mm5lj1YCRGuw1hl3hTJh8QX0rNpEFvLcSx7FM6R6Gx0TdS1w+BJur8
YqglAgsi/Hzw4YfWL6ym93jwCz+dKx0AY2xRNKEi2OQC6uJ8XrLUdrgzd2cjlYmd
aEmyRRPIRkTHnL8SQK8YXB6gYjeHk379KbXu5dXucCSXTkk=
-----END CERTIFICATE-----

Comment 4 by rsleevi@chromium.org, Dec 28 2017 

Those results were from https://crt.sh/lintcert and still show invalid - cablint	ERROR	Generalized Time before 2050
cablint	NOTICE	CA certificates without Digital Signature do not allow direct signing of OCSP responses
cablint	INFO	CA certificate identified
x509lint	ERROR	Invalid time format
zlint	ERROR	Certificates valid through the year 2049 MUST be encoded in UTC time


How are you generating these certificates?

Comment 5 by kennario...@gmail.com, Dec 29 2017 

I use this script format:

openssl ca -config openssl.cfg -extensions server_ext -startdate 20171201000000Z -enddate 20281201000000Z -notext -batch -md sha256 -passin pass:12345678 -in csr\server.csr.pem -out certs\server.cert.pem

[ server_ext ]
keyUsage                = critical,digitalSignature,keyEncipherment
basicConstraints        = critical,CA:false
extendedKeyUsage        = serverAuth,clientAuth
authorityKeyIdentifier	= keyid:always
subjectKeyIdentifier    = hash
subjectAltName          = DNS:domain.local,DNS:server.domain.local

[ root_ca_ext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

Did I missed something or wrong params or args?

Comment 6 by rsleevi@chromium.org, Dec 29 2017 

The use of the four digit date (2017/2028) forces OpenSSL to encode as GeneralizedTime, as documented at https://www.openssl.org/docs/manmaster/man1/ca.html

The correct way is to use UTCTime, as specified by https://tools.ietf.org/html/rfc5280#section-4.1.2.5

Using  "-startdate 171201000000Z -enddate 281201000000Z"

Should be sufficient to resolve this. Alternatively, using the "-days" argument rather than explicit start/end dates.

Sign in to add a comment