ERR_SSL_SERVER_CERT_BAD_FORMAT without explanation when SSL cert is V1
Reported by
andrex.e...@gmail.com,
Jan 5 2018
|
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Example URL: Steps to reproduce the problem: 1. Visit an https site whose certificate is in X509v1, not v3 (`openssl x509 -in certfile.pem -text | grep Version` reports `Version: 1 (0x0)`) What is the expected behavior? Site loads normally. What went wrong? Chrome displayed an error page saying just that the site uses an invalid certificate, and the code ERR_SSL_SERVER_CERT_BAD_FORMAT. There was no explanation of why the certificate was invalid. Did this work before? N/A Chrome version: 63.0.3239.108 Channel: n/a OS Version: Ubuntu 16.04.3 LTS Flash Version: An explanation of why the certificate is invalid will be a great help to the user and website admin who are trying to understand why the site won't load. For example, "This site uses an SSL certificate in the X509 version 1 format. Version 1 is no longer supported. X509 version 3 is required."
,
Jan 5 2018
Please provide a NetLog per these instructions. https://dev.chromium.org/for-testers/providing-network-details (Or the certificate itself is probably sufficient if that'll be easier.)
,
Jan 7 2018
OK, here's a sample URL: https://x509v1.schulman.us/ . This has an X509v1 certificate, signed by our local certificate authority - root certificate attached. When I try to load this site in Chrome, I get a page that says: This site can’t provide a secure connection x509v1.schulman.us doesn't adhere to security standards. ERR_SSL_SERVER_CERT_BAD_FORMAT FWIW, Firefox says the certificate is fine. Obviously Chrome considers v1 certificates to be deprecated. That being the case, it would help if Chrome would offer the additional information that the certificate is bad because it's v1 not v3.
,
Jan 7 2018
Thank you for providing more feedback. Adding requester "sc00335628@techmahindra.com" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 7 2018
Thank you. We know there is interest in having more verbose diagnostics when certificates are malformed. Note that it is not always possible to diagnose automatically what it 'should' have been, as an ERR_SSL_SERVER_CERT_BAD_FORMAT merely indicates what the specs expressly forbid/what is invalid, and it's difficult to know intent. I'm marking this as Available as a Feature Request for future diagnostic improvements. We do not presently view this as a bug.
,
Jan 9 2018
OK. It seems to me that when the result is ERR_SSL_SERVER_CERT_BAD_FORMAT, there's always a reason, and you should be able to report that reason. For example, "X509v1 isn't supported." But thanks for your attention. At least, this issue will help to document the problem for others.
,
Jan 9 2018
X509v1 is supported. However, a certificate with extensions while asserting X509v1 is not a valid certificate. As I mentioned, we can know why it's wrong, but not what the 'right' / 'intended' thing is. Anyways, it will stay available as a feature request for improving diagnostics
,
Jan 10
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 15
|
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by sc00335...@techmahindra.com
, Jan 5 2018Components: -Internals>Network Internals>Network>SSL
Labels: Needs-Triage-M63 Triaged-ET Needs-Feedback