Closed Bug 453075 Opened 16 years ago Closed 8 years ago

Unverified certificates no longer give detailed errors since bug 149834

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 91403

People

(Reporter: stuart.morgan+bugzilla, Unassigned)

References

Details

(Keywords: regression) 

Our certificate code used to give fairly specific errors when a certificate couldn't be verified (see, e.g., the screenshot in bug 321825), but now it always just says "The certificate could not be verified for unknown reasons". This is broken at least back to 1.6.3, but I haven't regressed in further. As Smokey and/or Chris noted in the channel, the discussion in bug 383988 may well be relevant here as well.

Putting on the 2.0 list since it would really be nice to fix this to go along with the new cert UI, but since it's not a regression it wouldn't block.
Not a regression from what? It's a regression from *something*, since it used to be better and is now broken, right?
Hardware: PC → All
Not a regression from current shipping versions. (If it's like the other bug, it hasn't worked since 1.0.x, and the world hasn't ended.)
Looks like it fails on nsNSSCertificateDB.cpp:1058

srv = CERT_GetCertTrust(nsscert, &nsstrust);

The only way for CERT_GetCertTrust to return a failure code is if nsscert->trust is NULL.

Firefox (as of 3.0.9) exhibits this behaviour too. STR:

Visit https://www.a-trust.at/
Click Add Exception…
Click Get Certificate
Certificate status shows the correct thing (not verified by a recognized authority).
Click View…
Get "Could not verify this certificate for unknown reasons."

It seems that we get a proper error code (sec_error_unknown_issuer) but when we try to get the certificate's trust setting, we run into problems.
So, this regressed in Camino trunk and Firefox trunk at the same time as bug 383988 appeared, i.e. when bug 149834 landed.  The patch for bug 149834 doesn't back out cleanly on cvs trunk in order to verify it is the cause here (and not bug 316710 or bug 137506), but I did back it out on the MOZILLA_1_8_BRANCH again and can verify that this bug (missing detailed errors when viewing a certificate) goes away.

We sort-of have two bugs here: the general regression that affects everyone, and the fact that we aren't (able to?) making use of the fancy error code (e.g. sec_error_unknown_issuer) in our UI.  Stuart, do you want to send this one to PSM and spin a new one on trying to use the fancy error code to produce sane errors like Firefox does in Certificate Status during its exceptions process?
Sounds good.
OK, filed bug 490188 on the trying to make Camino UI use whatever method Firefox is using to get the right error message in its Cert Status box in its exception UI.

This bug is now solely about the PSM regression (caused by bug 149834) that causes Camino and Firefox certificate viewing UI to display a generic error message ("The certificate could not be verified for unknown reasons") instead of the specific, detailed message for unverified certificates.  See also comment 3 for information about where the current code fails.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Camino → Core
QA Contact: camino → psm
Summary: Unverified certificates no longer give detailed errors → Unverified certificates no longer give detailed errors since bug 149834
Target Milestone: Camino2.0 → ---
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.