Invalid HP ProCurve SSL certificates?
Reported by
ytdl...@gmail.com,
Jul 26
|
||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.60 Example URL: Any 2910al switch (probably all others too) with self-signed certificate Steps to reproduce the problem: 1. switch web-admin > security > SSL > generate CSR 2. sign with local CA and copy new cert to switch 3. reboot switch What is the expected behavior? When opening the switch via its DNS name, it should open the login page and display a valid certificate. -> this does work in the latest Firefox (61.0.1) What went wrong? Any chromium browser displays a "doesn't adhere to security standards" with the "ERR_SSL_SERVER_CERT_BAD_FORMAT" error. Did this work before? N/A Chrome version: 68.0.3440.75 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 29.0 r0 I could export the certificate from Firefox and attach it here if this helps? And on another note: there is no problem with the certificate the switch itself(!) can generate, only when trying to use a cert that's signed by our CA this problem occurs (although this CA's certs are in use everywhere in our company, so it does sign them correctly...). But if we are using the switches certificate, we have the following errors, which is why we're trying to replace them: o) ERR_CERT_AUTHORITY_INVALID o) Subject Alternative Name missing
,
Jul 26
ytdlder@ Thanks for the issue. This issue seems to be out of scope of triaging at TE end. Hence adding 'Internals>Network>SSL' component, label 'TE-NeedsTriageHelp' and requesting the team to look into the issue and help in further triaging. Thanks..
,
Jul 26
,
Jul 26
Please collect and attach a chrome://net-export log. Instructions can be found here: https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details
,
Jul 27
As requested, the log file when trying to open "https://hp_2910al_1/", which is one of the switches in question. Thanks a lot!
,
Jul 27
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 27
Thanks for the log.
The certificate has the subject commonName "hp_2910al_1" which is encoded as a PrintableString, but underscore ("_") is not a valid character in the PrintableString character set.
Regenerating the cert using UTF8String for the commonName that should fix it.
,
Jul 30
Hey, thank you very much mate! Changed "_" to "-" and it works like a charm!! Weird that Firefox doesn't nag about that... Do you know any list with accepted characters? And sorry: I thought it might be a Chromium bug, seeing as it worked in Firefox; my bad!!
,
Jul 30
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 30
No problem. Browsers have been pretty lenient about such errors but we're trying to tighten things down where we can. https://en.wikipedia.org/wiki/PrintableString has the list.
,
Jul 31
Thank you very much! Is there a way for me to close this ticket, or is that up to you? cheers! |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ytdl...@gmail.com
, Jul 26openssl x509 -text -noout -in hp_2910al_1.crt Certificate: Data: Version: 3 (0x2) Serial Number: bf:a8:a2:38:d2:82:47:bc Signature Algorithm: sha256WithRSAEncryption Issuer: C=AT, ST=Upper Austria, L=Traun, O=Stadtamt Traun, OU=IT, CN=*.traun.at/emailAddress=<removed> Validity Not Before: Jul 26 08:13:58 2018 GMT Not After : Jul 23 08:13:58 2028 GMT Subject: CN=hp_2910al_1, OU=IT, O=Stadtamt Traun, L=Traun, ST=Upper Austria, C=AT Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:88:56:f9:aa:ff:7d:61:78:40:16:75:61:1f:e7: 94:de:d3:4a:63:c1:99:a9:7b:06:f7:09:55:e3:9c: c4:b5:20:ea:44:db:34:d1:7f:0c:85:bd:4f:85:11: 83:23:53:5f:23:7f:62:42:57:6f:36:bc:95:9f:b3: 27:ca:02:4c:39:99:3c:c8:d4:cb:c6:7b:38:83:41: 33:30:1e:65:46:12:49:23:41:51:88:1a:0e:9c:bb: 97:4f:d7:50:13:da:04:ed:66:02:57:88:4a:0f:4e: 66:b8:32:c9:1b:71:f4:c5:d3:1e:63:c5:77:d8:d0: 30:73:85:f4:e2:98:0a:9c:a5:60:61:cc:b4:24:36: c4:79:0d:f2:ed:1a:b4:fc:ec:00:83:7f:8d:cf:6e: f0:38:22:2d:b0:69:a2:17:49:28:c3:a4:42:5e:e8: 1e:62:c4:d3:de:b3:12:74:fa:39:b3:fc:8f:5a:63: 1d:34:2c:40:af:6c:f4:3d:4e:57:f0:ba:42:99:7a: a4:e9:8c:d2:c5:1a:20:fa:e1:18:87:99:ef:20:69: 29:e9:95:7d:3d:53:33:80:91:c5:7e:33:d5:fb:fa: 4e:79:25:61:39:75:7c:b6:ab:79:e1:fb:fd:86:14: 96:eb:8b:8a:e4:0f:48:c5:06:8e:da:57:83:c1:78: 22:bb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:3B:A3:8D:0B:E3:D9:8A:FF:69:55:42:6E:5D:0B:59:6E:1F:15:F9:B4 DirName:/C=AT/ST=Upper Austria/L=Traun/O=Stadtamt Traun/OU=IT/CN=*.traun.at/emailAddress=<removed> serial:A7:96:C2:41:11:63:17:19 Netscape Cert Type: SSL Server X509v3 Subject Key Identifier: 23:4E:08:91:9B:1D:DC:46:DF:51:92:87:54:C2:59:9D:4A:16:33:91 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:hp_2910al_1 Signature Algorithm: sha256WithRSAEncryption 9e:37:59:2d:38:ad:50:86:06:d2:f6:90:09:2e:e7:e1:29:a2: 10:14:fa:60:39:98:72:f5:b0:70:14:fa:db:8b:75:2f:a4:af: 0c:0d:00:5e:ce:89:d9:3e:94:7d:be:c9:20:36:82:01:27:91: 9a:da:69:79:ad:6c:05:49:34:cb:9f:36:51:12:15:c4:34:ad: 4e:26:00:24:1c:3b:f8:ba:84:29:4d:8a:e1:5f:66:7f:ed:fc: d5:34:36:7f:a0:40:1a:1c:0f:d0:16:5b:1b:a0:85:73:5b:cb: d5:c4:e5:c6:61:e8:ac:06:34:66:28:1b:c7:7c:4b:fc:11:a9: a8:ec:cb:56:d8:56:0c:7e:1a:ce:d6:99:ba:26:77:9e:95:94: 38:5c:09:1f:56:8a:37:62:48:ba:dc:6a:cf:cf:02:bc:12:c6: b3:78:aa:6a:83:a8:6e:c6:b5:81:ab:ea:79:3b:15:8e:4d:43: 3d:f5:b4:78:35:4d:61:51:b4:c8:ca:c2:89:3a:3e:2a:78:c1: d2:96:ad:87:bf:1f:7b:22:22:56:a4:dc:45:c3:71:05:40:90: 28:fe:ec:05:04:61:7f:ec:98:90:c9:da:92:7d:25:82:ee:eb: d7:49:de:c0:79:ac:15:52:fc:6c:19:90:08:e8:01:8a:12:34: 77:8a:d9:66:f0:f1:94:b9:4a:7d:73:ff:bc:b0:8a:51:ff:9e: f7:f5:80:3b:ba:02:13:b8:bd:aa:19:02:01:76:67:79:dd:f1: 52:88:c9:10:84:0b:71:70:b1:de:a1:50:7e:ef:5e:0e:61:48: f6:9f:e1:d3:91:14:63:19:ac:b9:7e:cc:67:c6:2e:6c:f0:27: 37:28:e2:83:48:0d:15:68:c1:0d:2b:af:fa:ff:1f:e3:5c:a9: 51:9d:a3:47:6f:16:6f:1e:72:fc:c9:f7:04:7d:dd:99:51:39: 5d:d0:0e:78:8b:82:d0:43:95:e7:54:a8:a8:27:e4:32:c5:ba: 0e:bb:fb:02:43:de:8a:17:16:6d:62:83:e1:44:46:67:61:c3: 23:f8:82:ed:c4:6d:77:9b:9e:b6:cd:d8:e6:32:be:34:6e:bb: ef:8b:0a:25:d6:26:ad:c3:3f:7b:a1:73:26:e7:1c:4d:53:1d: 0a:cd:4c:7e:43:fb:b7:aa:66:82:ee:93:91:d3:82:54:77:8c: ca:99:d7:68:4e:8e:2e:c9:3e:ad:ff:bf:c4:a0:eb:c7:6c:cc: 91:26:d4:17:e1:a4:b5:a7:7a:a6:05:09:da:0c:26:fc:37:98: 5a:f7:e9:33:47:b6:a9:e5:b4:27:34:af:d1:21:95:e5:30:9f: 5c:e9:d0:06:9c:35:4b:3e