Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

With respect to the x509v3 Subject Alt Name, what EXACTLY is Firefox 38+ (v38.2.1- v38.4) doing in its certificate format checks?

  • 1 cavab
  • 2 have this problem
  • 2 views
  • Last reply by bergmanem

more options

Given that all other attributes in my server certificates are the same, this works (I can access my webpage): Subj: cn=my.friendlydomainname.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9

but, this doesn't: (yields "security library: improperly formatted DIR-encoded message (Error code: sec_error_bad_der)") Subj: cn=my.domain.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.ugly.fullyqualifieddomainname.com.,DNS:my.friendlydomainname.com.,DNS:my.ugly.fullyqualifieddomain.name.com,DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9

I can successfully look up all Subject Alt Names in DNS.

Is there a way to see more error detail than the simple sec_error_bad_der message?

The request comes from FF38 in either Windows 7 or CentOS 6. The web server is hosted on CentOS 6.

Given that all other attributes in my server certificates are the same, this works (I can access my webpage): Subj: cn=my.friendlydomainname.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9 but, this doesn't: (yields "security library: improperly formatted DIR-encoded message (Error code: sec_error_bad_der)") Subj: cn=my.domain.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.ugly.fullyqualifieddomainname.com.,DNS:my.friendlydomainname.com.,DNS:my.ugly.fullyqualifieddomain.name.com,DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9 I can successfully look up all Subject Alt Names in DNS. Is there a way to see more error detail than the simple sec_error_bad_der message? The request comes from FF38 in either Windows 7 or CentOS 6. The web server is hosted on CentOS 6.

All Replies (1)

more options

Also noticed: If FF fails the first object in the SAN list, it doesn't seem to iterate over the rest (MUST per RFC 2459). I also had a connection fail because the first name in the SAN list was not in DNS. Once it was added to DNS, I could connect.