-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In Chrome/Chromium some websites fail, due to: ERR_CERT_INVALID #195
Comments
Thank you for the high-quality bug report! What is the exact version of NSS that Chrome/Chromium is using on your Linux box? |
My reading of Chromium's net/cert/cert_verify_proc_nss.cc:MapSecurityError() is that the following NSS errors are mapped to case SEC_ERROR_BAD_DER:
case SEC_ERROR_BAD_SIGNATURE:
case SEC_ERROR_CERT_NOT_VALID:
// TODO(port): add an ERR_CERT_WRONG_USAGE error code.
case SEC_ERROR_CERT_USAGES_INVALID:
case SEC_ERROR_INADEQUATE_KEY_USAGE: // Key usage.
case SEC_ERROR_INADEQUATE_CERT_TYPE: // Extended key usage and whether
// the certificate is a CA.
case SEC_ERROR_POLICY_VALIDATION_FAILED:
case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
case SEC_ERROR_EXTENSION_VALUE_INVALID:
return ERR_CERT_INVALID; |
I get NSS error |
My current best guess is the following. Servers using EC public keys don't set the Key Encipherment key usage; SSLsplit copies the key usage from the original certificate but uses RSA, resulting in a forged server certificate for RSA that has only Signing but not Key Encipherment key usage, which is treated by NSS as inadequate key usage. |
Implemented a candidate fix in branch issue/195, can you test drive that and let me know if that fixes the issue for you? |
Yes, that works. Thank you. |
Merged |
I have an interesting issue where only some websites fail to load, using Chrome or Chromium. All websites work using Firefox. For example:
The only common element I can see in the certificates, is that the ones that fail have a wildcard DNS in the Subject Alternative Name field. Or specifically the SNI matches a wildcard domain name in that field.
If the wildcard is in the Common Name field, it succeeds.
sslsplit -V
:uname -a
sslsplit
(file attached)
sslsplit.debug.log
The text was updated successfully, but these errors were encountered: