Possible Firefox 3 bug may cause Zimbra problems

[iain]

I'm currently running Firefox 3 beta 2 on Ubuntu Linux and I've hit a problem fairly regularly that looks like a Firefox bug but might be a Zimbra issue. If it happens often, it could cause serious problems for Zimbra users in future.

When connecting to Zimbra I sometimes get the error sec_error_reused_issuer_and_serial, which is meant to signify that the server has presented a certificate with the same issuer and serial number to another cert. In this case, Firefox 3 will not allow access to the site: no exceptions, access is simply blocked.

It's possible that this is a Zimbra bug. On the Zimbra server in question I followed the standard procedure to create a local certificate which looks fine and other users haven't reported any problems (new cert. created nearly three months ago so there's been time). So it seems to me unlikely to be a Zimbra bug, but possible.

I'm concerned because the behaviour of Firefox is not consistent:
- Rebooting the PC or stopping/starting Firefox is sometimes enough to get me on.
- The error can still occur when I've deleted every certificate from Firefox, so I don't know what Firefox is comparing the certificate to.

If anyone else has come across this bug, you might like to go to https://bugzilla.mozilla.org/show_bug.cgi?id=410622 and add your comment/vote as right now the Firefox developers are taking the view that it's working as designed.

[iain]

I'm still seeing this issue intermittently on Firefox 2 and Firefox 3, but it sounds like no-one else is (or you're keeping very quiet about it :-) ). I guess that's a good sign, but it would be useful for me to know whether this is a general problem or something only I'm seeing.

[phoenix]

I haven't seen that issue but I'd suggest filing an entry in buzilla so we can take a look at it.

BTW, you mentioned in your first post that it happens even if you delete all the certificates in FF, if that's the case how can the FF developers conclude it's working as designed?

[phoenix]

Quote:

Originally Posted by iain

When connecting to Zimbra I sometimes get the error sec_error_reused_issuer_and_serial, which is meant to signify that the server has presented a certificate with the same issuer and serial number to another cert. In this case, Firefox 3 will not allow access to the site: no exceptions, access is simply blocked.

Just some further info for you. I tried connecting to your url and I get the same message with FF3 but it does allow me to add an exception. Are you using OSCP to verify certificates? I usually find that doesn't work too well and turn it off.

[edit]Sorry, that should have been: I see the (Error code: sec_error_ca_cert_invalid) error.

[iain]

Thanks for the comments. This morning it allows me to add an exception. On Friday, with no change in certificate at all, it refuses me entry altogether.

Unfortunately, with a bug that's both rare and intermittent, I can imagine the developers could tear their hair out to resolve it but I think it is a Firefox bug. I may also raise it as a Zimbra bug for visibility.

On the days when it doesn't like me, I'm having to boot up Win XP in a Virtual Machine just to get access to IE7 to access the admin console

[iain]

Raised as Bug 24696 - Sometimes give error sec_error_reused_issuer_and_serial, preventing login

Firefox developers seem pretty confident it's an issue at my end (i.e. Zimbra rather than Firefox).