SSL Security Error: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(incorrect use of wild cards in certificate)
Line 79: Line 79:
* [http://www.mozilla.org/projects/security/pki/nss/ Network Security Services (NSS)]
* [http://www.mozilla.org/projects/security/pki/nss/ Network Security Services (NSS)]
* [http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1040263 SSL error codes]
* [http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1040263 SSL error codes]
* [http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity SSL And The Future Of Authenticity]


[[Category:Issues (Firefox)]]
[[Category:Issues (Firefox)]]

Revision as of 20:22, 16 August 2011

This article applies to Firefox, Thunderbird, Mozilla Suite and SeaMonkey.

Domain Name Mismatch or Server Certificate Expired

"Security Error: Domain Name Mismatch" occurs if you make a secure connection to a server whose domain does not match the domain name in the certificate it uses. This is to inform you that the site you are trying to connect to may not be the site you wanted. It may also occur when a site changes their domain name but doesn't buy a certificate for the new domain.

"Security Error: Server Certificate Expired" occurs if the site's certificate expiry date is later than your system date. This may be caused by your system having the incorrect time, or by the certificate genuinely being expired.

In both cases, you should make a judgment as to whether you still want to trust the server for what you want to use it for. For example, it may not be a good idea to send your credit card information to a site with either of these problems, but it may be acceptable for posting on a forum. If you trust the server, you can can get rid of the alert by installing the Remember Mismatched Domains extension for Firefox, Thunderbird 2.x, or SeaMonkey. It adds a "Don’t warn me again about this certificate for this domain" checkbox to the Domain Name Mismatch and Server Certificate Expired warning windows. Thunderbird 3.x supports adding a security exception without requiring installation of that extension.

Issuer Certificate Unknown

If you get an error message about the certificate is not trusted because the issuer certificate is unknown it is complaining that it can't find the Certificate Authority (CA) certificate for that SSL certificate. Press the View Certificate button, look at the certificate, and find out who who is the Certificate Authority by looking at the Organization listed in Issued By.

Use Tools -> Account Settings -> Security -> View Certificates -> Authorities and look for a certificate for that CA. If you find it check that its still valid. You might also want to make a secure connection to webmail (web page provided by your email provider used to read/send mail) using Firefox, click on the icon in the address bar, and then press the "more information" button to view the details of its certificate. Frequently the same SSL certificate is used in Thunderbird and Firefox.

If its invalid check that the date on your computer is correct. It sounds unlikely but sometimes its set for the wrong year, which might cause the CA certificate to become invalid. If the CA certificate looks valid you can add a security exception for your email providers SSL certificate using Tools -> Account Settings -> Security -> View Certificates -> Servers -> Add Exception to get rid of the error messages. However, its recommended you contact your email provider to try to find out why that problem is happening. [1]

Revoked Certificate

If you get an error message about the certificate being revoked (sec_error_revoked_certificate) that means that its invalid and should not be used.

Older versions of Thunderbird never checked whether the certificate was revoked. However, Thunderbird 3.1.2 and later do, so you may find when you upgraded all of a sudden your secure connection failed. You can disable checking whether its revoked by setting security.OCSP.enabled to 0 using the Config editor. It typically defaults to 1. Since its your email provider that marked it as invalid, yet they're still using it, contact them and find out whats going on.

Incorrect use of wild cards in certificate

This problem occurs if your email provider uses a load balancing router to automatically select one of several mail servers, and doesn't use the right syntax to specify that the certificate applies to more than one host.

Thunderbird 2.* had a bug where it accepted a wild card for more than one atom in the hostname in a certificate. i.e. *.mail.dreamhost.com was accepted for a a1.postal.mail.dreamhost.com host, when it really should have specified *.postal.mail.dreamhost.com. Thunderbird 3 is stricter and rejects that as a invalid hostname. You can workaround this by setting the environmental variable NSS_USE_SHEXP_IN_CERT_NAME to 1 before starting Thunderbird, and use the Remember Mismatched Domains add-on to avoid getting prompted every time. [2]

Ports

SSL certificates are normally only used with certain ports. If you get this error for a port that is normally used by a different protocol or a insecure connection, be suspicious.

Port Protocol Secure connection
25 SMTP No
110 POP No
143 IMAP No
389 LDAP No
465 SMTP Yes
587 SMTP Yes
636 LDAP Yes
993 IMAP Yes
995 POP Yes

Related bugs

External Links