Closed
Bug 543417
Opened 14 years ago
Closed 14 years ago
https site still marked as trusted even if its CA cert is marked as untrusted
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: alpha.mm, Assigned: KaiE)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 I changed CA certificate trust settings for a CA cert (not root cert). Yet it seems nothing happens when I browse sites that use this cert. Reproducible: Always Steps to Reproduce: 1.Go to mail.163.com 2.Enter any random characters in the two textbox on the right, which are e-addr and pwd. 3.Tick the checkbox on the right whose text contains "SSL". 4.Click the login button whose color is somewhat pink. 5.Now your certs should contain CNNIC SSL. 6.Tools -> Options -> Advanced -> View certificates. 7.Under "Entrust.net" branch, there should be a "CNNIC SSL" cert. 8.Edit it, cancel the three ticks in trust setting. Then OK, OK. 9.Now goto https://www.enum.cn/en/ . You'll find this site is still marked as TRUSTED though it is verified by CNNIC SSL. Actual Results: Firefox gives me NO warnings when I'm trying to browse a site which is verified by a CA cert that I don't trust. Expected Results: The browser should give me SOME warnings when I'm tring to browse a site which is verified by a CA cert that I don't trust.
Comment 1•14 years ago
|
||
I suspect this might be down to the fact that CNNIC has both an Entrust subsidiary root and its own top level root - you may need to disable trust in both places. In the meantime though, moving to Core::PSM
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Much thanks, Johnathan. I've found another cert with common name "Entrust.net Secure Server Certification Authority" and serial number "37:4A:D2:43" that haven't been set to "untrusted". After banned it, the site can be blocked. So there are altogether 3 certs to set: 1. CNNIC ROOT 2. CNNIC SSL 3. Entrust.net Secure Server Certification Authority (37:4A:D2:43) Again, thank you for your reply:) (In reply to comment #1) > I suspect this might be down to the fact that CNNIC has both an Entrust > subsidiary root and its own top level root - you may need to disable trust in > both places. In the meantime though, moving to Core::PSM
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Resolution: FIXED → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•