Important Notice: We're experiencing email notification issues. If you've posted a question in the community forums recently, please check your profile manually for responses while we're working to fix this.

Avatar for Username

Sök i support

Akta dig för supportbedrägerier: Vi kommer aldrig att be dig att ringa eller skicka ett sms till ett telefonnummer eller dela personlig information. Rapportera misstänkt aktivitet med alternativet "Rapportera missbruk".

Läs mer

Denna tråd har arkiverats. Ställ en ny fråga om du behöver hjälp.

With respect to the x509v3 Subject Alt Name, what EXACTLY is Firefox 38+ (v38.2.1- v38.4) doing in its certificate format checks?

  • 1 svar
  • 2 har detta problem
  • 2 visningar
  • Senaste svar av bergmanem

bergmanem
bergmanem
more options

Given that all other attributes in my server certificates are the same, this works (I can access my webpage): Subj: cn=my.friendlydomainname.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9

but, this doesn't: (yields "security library: improperly formatted DIR-encoded message (Error code: sec_error_bad_der)") Subj: cn=my.domain.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.ugly.fullyqualifieddomainname.com.,DNS:my.friendlydomainname.com.,DNS:my.ugly.fullyqualifieddomain.name.com,DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9

I can successfully look up all Subject Alt Names in DNS.

Is there a way to see more error detail than the simple sec_error_bad_der message?

The request comes from FF38 in either Windows 7 or CentOS 6. The web server is hosted on CentOS 6.

Given that all other attributes in my server certificates are the same, this works (I can access my webpage): Subj: cn=my.friendlydomainname.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9 but, this doesn't: (yields "security library: improperly formatted DIR-encoded message (Error code: sec_error_bad_der)") Subj: cn=my.domain.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.ugly.fullyqualifieddomainname.com.,DNS:my.friendlydomainname.com.,DNS:my.ugly.fullyqualifieddomain.name.com,DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9 I can successfully look up all Subject Alt Names in DNS. Is there a way to see more error detail than the simple sec_error_bad_der message? The request comes from FF38 in either Windows 7 or CentOS 6. The web server is hosted on CentOS 6.

Alla svar (1)

bergmanem
bergmanem Frågans ägare
more options

Also noticed: If FF fails the first object in the SAN list, it doesn't seem to iterate over the rest (MUST per RFC 2459). I also had a connection fail because the first name in the SAN list was not in DNS. Once it was added to DNS, I could connect.