Internet Explorer just doesn't care about security!
SummaryThis is my experience of a bug that I thought was a Mozilla bug but it turned out that Internet Explorer just doesn't care about security.
StoryIt all started when we, TDC Internet, just got a new SSL Server Certificate from a Certification Authority (CA) called certifkat.dk.
We installed the certificate on the server and suddenly Mozilla couldn't view anything on the site or even connect to the site. All you got when trying to view a web page on the server was Error -8102. Unable to go to site.
Then I tried using Internet Explorer and everything worked fine. Could Mozilla be wrong? Perhaps the certificate was in a format that Mozilla didn't support?
I tried using the official Mozilla releases instead of my nightly build, but I still got the same error.
I did some searching in Bugzilla and on Google and found that error -8102 was "Certificate key usage inadequate for attempted operation.". So perhaps the certificate contained a key, whatever that was, that only Internet Explorer knew about.
So I filed a bug in Bugzilla so that a Mozilla developer and all other Bugzilla users could help me in finding the solution to the problem. I also used IRC to get more information.
And the Mozilla Community is amazing. People quickly came up with SSL stack traces and debug information.
ConclusionThe problem lies in the certificate issued by the Certification Authority. The certificate uses an extension that indicates what the certificate can be used for. The CA accidentally hadn't set the SSL server extension so the certificate was not valid as a SSL server certificate.
Internet Explorer does not check this and just assumes that it's a valid SSL server certificate. Mozilla on the other hand checks this and correctly refuses to go to the site. The error message in Mozilla is not the best but that's it also being worked on. So it turns out that Internet Explorer just don't care about security. Mozilla cares about security and therefore checks the certificate to see if it is valid to be a SSL server certificate. Another win for Mozilla!
My original bug report which later became a duplicate of bug 142280
A bug report which describes the same problem that I had. It's marked wontfix since the problem isn't a Mozilla bug.
Thanks for detailing this problem, we just encountered a similar error and the description was most helpful... especially as the error message doesn't appear to have been enhanced any in the meantime (more than a year).Comment by Mike at March 12, 2004 08:51 PM | Permalink
Who may know how to generate a certificate to avoid this problem?Comment by Theodor at October 20, 2005 02:05 PM | Permalink