Secure Connection error Certificate path length constraint is invalid

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
User avatar
aka179
New to the forum
New to the forum
Posts: 2
Joined: 2024-02-20, 23:06

Secure Connection error Certificate path length constraint is invalid

Unread post by aka179 » 2024-02-20, 23:29

Operating system: Windows 7
Browser version: 33.0.0
32-bit or 64-bit browser?: 64bit
Problem URL: any external url
Browser theme (if not default): default
Installed add-ons: TabMix, Session manager

I am getting Secure Connection error: certificate path length constraint is invalid
It happens for any external website.

I am trying to use Pale Moon behind a proxy which does perform HTTPS filtering by MITM attack.
Is there any way to lower browser security to allow such usage?

Until recently I have been using some old browsers (old firefox, waterfox classic). They worked fine. But they are terribly outdated (years).

Modern Chrome works as well. It just shows that connection is not encrypted as the certificate used does not correspond to the domain name.

I would love to use Pale Moon as I am enjoying its classic appearance. I have checked FAQ and tried to play the Pale Moon Commander settings - no luck.

Thank you in advance.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35639
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Secure Connection error Certificate path length constraint is invalid

Unread post by Moonchild » 2024-02-21, 14:48

This sounds like you have something intercepting your secure connections from Pale Moon. Are you using antivirus/internet security that intercepts internet connections to "scan" them, perhaps?

Some background on path length:
https://stackoverflow.com/questions/6616470/certificates-basic-constraints-path-length wrote:Taken from RFC 5280, section 4.2.1.9:

A pathLenConstraint of zero indicates that no non-self-issued intermediate CA certificates may follow in a valid certification path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, no limit is imposed.

I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates, but these certificates must be end-entity-certificates (the CA flag in BasicConstraints is false - these are the "normal" certificates that are issued to people or organizations).

It also implies that with this certificate, the CA must not issue intermediate CA certificates (where the CA flag is true again - these are certificates that could potentially issue further certificates, thereby increasing the pathLen by 1).

An absent pathLenConstraint on the other hand means that there is no limitation considering the length of certificate paths built from an end-entity certificate that would lead up to our example CA certificate. This implies that the CA could issue a intermediate certificate for a sub CA, this sub CA could again issue an intermediate certificate, this sub CA could again... until finally one sub CA would issue an end-entity certificate.

If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number of possible intermediate CA certificates in a path built from an end-entity certificate up to the CA certificate. Let's say CA X has a pathLenConstraint of 2, the end-entity certificate is issued to EE. Then the following scenarios are valid (I denoting an intermediate CA certificate)
If the path length is included but incorrect in the intermediate cert of your AV, then it will fail to make a connection.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
aka179
New to the forum
New to the forum
Posts: 2
Joined: 2024-02-20, 23:06

Re: Secure Connection error Certificate path length constraint is invalid

Unread post by aka179 » 2024-02-22, 05:56

It looks like a bug in a browser. If I go into Options->certificates, then change trust options of related certificates in any way, it starts working. But if I restart browser then the error is back.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35639
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Secure Connection error Certificate path length constraint is invalid

Unread post by Moonchild » 2024-02-22, 10:45

No it isn't a bug in the browser, afaict.
If you manually change the trust level of the certificates you indicate that you're overriding the trust of the cert chain and it'll be accepted for the session.

Since this happens for any sites for you, it's something systemic, so either you've set advanced preferences to something that breaks it for you (here be dragons etc.), or you have something intercepting your connections.

Please post your troubleshooting information so we can check modified preferences.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Post Reply