I didn't had any nameConstraints configured in these tests ################################### Test A1 leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L Otherwise we'd be allowing a > UTF-8-encoded PrintableString to match a UTF8String, which seems > unnecessarily liberal. > > Of course, when we do the binary comparison above and elsewhere, we However in this case Mageia's firefox is the only webbrowser to forbid acces. Comment 7 Stephen Davidson 2015-04-01 12:36:40 PDT Aaah, so I was looking in the right quarry but under the wrong rock! Source
These steps didn't solve the problem (still can't access several sites with the same message "sec_error_cert_not_in_name_space") Comment 19 Kathleen Wilson 2014-09-04 09:46:11 PDT Please list the sites that are failing, so Only one site in the Pulse top 220k list turned up with this error: https://techsupport.dodea.edu/ So, likely this is pretty rare. Firefox 38.2.0 can't access it in both normal and safe mode(all add-on disabled). Status: RESOLVED DUPLICATE of bug 1111399 Whiteboard: Keywords: Product: Core Classification: Components Component: Security: PSM (show other bugs) Version: 31 Branch Platform: All All Importance: -- normal (vote) TargetMilestone: --- Assigned
Carrying over r+. My Structure: - Root CA - Intermediate CA 1 - Intermediate CA 2 - Intermediate CA 3 - Signing CA The Intermediate CA 3 writes name constraints into the Signing CA's but as far as I am concerned, i don't care sacoche.ac-caen.fr :) I have the same problem with several other sites. +1 for Nico286'suggestion : the final user, once advised, should it is evidence of a breach.
Thanks! improvable. Comment 14 Markus Jungwirth 2015-04-06 10:50:37 PDT https://www.statistik.bayern.de seems also be affected by this bug. Apparently some of their certs that worked through FF36 > are now throwing errors in FF37.
Comment 15 Liz Henry (:lizzard) (needinfo? Steps to Reproduce: 1.Go to this page : https://sacoche.ac-caen.fr 2. On the other hand I wish the company of said router wouldn't be so damn lazy and just update the firmware with new certificates, since they're already an year over their https://support.mozilla.org/questions/1078591 It's more likely that there's an actual problem connecting to the server or something.
Since the last FF update I couldn't access my router anymore due to that error message. The web server provides certificates for all Intermediate CAs and the Signing CA in the correct order. Keeler you are correct. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] I love that when it happens :) 2015-05-12 16:56 GMT+02:00 Ben Humpert
Comment 5 andre salaun 2014-06-21 18:36:23 CEST (In reply to Marja van Waes from comment #4) > ouch, I'm waking up > > FF can't give access to a certificate, if http://superuser.com/questions/826232/how-to-bypass-the-secure-connection-failed-warning-in-firefox-33 chromium) which let me override this. Related 0Secure Connection Failed using Firefox1Firefox, “Secure Connection Failed” and client certificate1Why 'This Connection is Untrusted' for practically every site on Mozilla Firefox?45Firefox “Untrusted Connection” warnings when visiting reputable HTTPS sites HesabımAramaHaritalarYouTubePlayHaberlerGmailDriveTakvimGoogle+ÇeviriFotoğraflarDaha fazlasıDokümanlarBloggerKişilerHangoutsGoogle'a ait daha da fazla uygulamaOturum açınGizli alanlarGrupları veya mesajları ara Geckozone Forums consacrés aux applications basées sur Gecko, le moteur d'affichage de Mozilla Accéder au contenu Rechercher Recherche avancée
As a result, this is not something Firefox would allow certificate exceptions for. http://idroprofessional.com/general/sec-error-no-memory.html What section 220.127.116.11 also says is When applying restrictions of the form directoryName, an implementation MUST compare DN attributes. The strings are > encoded as PrintableString (ASN.1 tag 0x13). Status: RESOLVED FIXED Product: Mageia Classification: Unclassified Component: RPM Packages Version: 4 Platform: All Linux Priority: Normal Severity: major TargetMilestone: --- Assigned To: QA Team QA Contact: URL: http://sacoche.ac-caen.fr Whiteboard: MGA3TOO
It does not do so when the name DNS is used > or when no subjectAltName extension is present at all. See Test C2 > - Chrome, Firefox (and for sure Internet Explorer) throwed an error > while there is no nameConstraints violation. cor-el said Try to rename the cert8.db file (cert8.db.old) and delete the cert_override.txt file in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored. http://idroprofessional.com/general/sec-error-not-initialized.html Just login to the Webmin web UI and select: Webmin -> Webmin Configuration -> SSL Encryption -> Self Signed Certificate.
Bug13563 - Firefox does not give possibility to load a https page when there is a "sec_error_cert_not_in_name_space" error Summary: Firefox does not give possibility to load a https page when there Reading this https://hg.mozilla.org/mozilla-central/rev/cfe200a463ab seems to say that now nameConstraints would need to include domain.com AND/OR .domain.com (note the leading dot). Comment 14 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2014-08-28 00:46:35 PDT Maybe Ryan has an opinion and/or contacts within Microsoft that can fix Microsoft's documentation and/or comment on why Microsoft's implementation
Expected results: This site is accesible with any other browser tested (i.e.
Citer Messagepar TheBigMario » 03 oct. 2014, 16:58 Oui.Le pb est que je ne peux même pas afficher les infos de certificat, c'est comme si le site (intranet) n'est avait pas I guess it's the normal behaviour now. These do not match, so mozilla::pkix reports that the certificate is not in the name space permitted by the intermediate. what can I do ?
Works fine now! Actual results: I get an error "sec_error_cert_not_in_name_space" and I see no way to add an execption. I have > confirmed this. > > The SSL in question is issued to https://www.pki.bayern.de and the > nameconstraint in the ICA is for bayern.de. Check This Out Seems cleaner to avoid Reader when we're just matching on equality. @@ -576,5 @@ > - Input presentedID; > - rv = der::ReadTagAndGetValue(rdn, valueEncodingTag, presentedID); > - if (rv != Success)
Do you have an idea of the magnitude of the impact of this bug?