Closed
Bug 59161
Opened 24 years ago
Closed 23 years ago
Check in all root certs, if possible
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
Future
People
(Reporter: BenB, Assigned: bugz)
References
Details
(Whiteboard: PDT+, needs a=, critical for 0.9.2)
Attachments
(2 files)
Reproduce: 1. Build psm.xpi with |make build_xpi| (see build instructionos) 2. Install the xpi in a fresh (open-source) Mozilla nightly build, fresh profile 3. Visit <https://services.db-privatebanking.de> Actual result: A warning dialog pops up, saying that the CA for the certificate is not recognized. View the certificate to see that it is issued by "Verisign Trust Network". Expected result: Since Verisign and Thawte seem to agree to the distribution of their certs (see <http://lxr.mozilla.org/mozilla/security/nss/lib/ckfw/builtins/certdata.txt>), all Verisign and Thawte certs are recognized. Additional Comments: Please check in all of them into the Mozilla tree ASAP (i.e. beofre N6 shipment), or tell me how to convert the certs into the certdata.txt format, so I can fix it myself. This is a blocker for me - shipping PSM without reasonable root certs is practically impossible. I do use the builtin root certs - No warning on <https://admin.he.net> (issued by Thawte.
Reporter | ||
Comment 1•24 years ago
|
||
eh, wrong summary, correcting.
Summary: Root certs lib not shipped → Check in all root certs, if possible
Reporter | ||
Comment 2•24 years ago
|
||
I got completely confused - sorry. You need the patch for bug 59162 - otherwise, *no* cert will be recognized, not even that for he.net.
Reporter | ||
Comment 3•24 years ago
|
||
Ian fixed the first part of it, reassigning to him (reassign to <relyea%netscape.com>, when (s)he is back). The site mentioned in the reproduction now works. Thanks Ian. Checked in are: - VeriSign/Thawte - TC Trustcenter - GlobalSign/BelSign Leaving open, since there are still lots of certs (all from digsigtrust and many smaller CAs) missing.
Assignee: lord → mcgreer
Component: Daemon → Libraries
Product: PSM → NSS
Version: 1.4 → 3.1
Reporter | ||
Comment 4•24 years ago
|
||
Filed bug 59614 about making the tool for creating certdata.txt publically available.
Updated•24 years ago
|
QA Contact: nitinp → junruh
Comment 5•24 years ago
|
||
Ian, have we checked in all the root certs? Can this be done in NSS 3.2 time frame?
Target Milestone: --- → 3.2
Reporter | ||
Comment 6•24 years ago
|
||
Already in: - Verisign (thousands of times) - Thawte - TC Trustcenter - GlobalSign/BelSign - ValiCert The following ones are missing (we have OK to check in): - Deutsche Telekom (T-TeleSec) - Entrust No response so far from (available in 4.x, not yet checked into Mozilla, I mailed them, no response, legal status unclear): - DigSigTrust - Equifax - Baltimore Not contacted (available in 4.x, not yet checked into Mozilla, I didn't mail them yet, because of missing contact info): - GTE Cybertrust - E-Certify - possibly others Didn't check Netscape 6, if there are new certs we should distribute, too.
Reporter | ||
Updated•24 years ago
|
Severity: blocker → major
Assignee | ||
Comment 7•24 years ago
|
||
Have checked in Entrust and Deutsche Telekom. marking as future, will watch this bug as more approvals come in. I think Baltimore is under the new contract, so they can be checked in...
Target Milestone: 3.2 → Future
Reporter | ||
Updated•23 years ago
|
Keywords: mozilla1.0
Assignee | ||
Comment 8•23 years ago
|
||
Assignee | ||
Comment 10•23 years ago
|
||
Comment 11•23 years ago
|
||
r=javi
Comment 12•23 years ago
|
||
rs=blizzard
Comment 14•23 years ago
|
||
a=blizzard on behalf of drivers for 0.9.2
Whiteboard: PDT+, needs a= → PDT+, needs a=, critical for 0.9.2
Assignee | ||
Comment 15•23 years ago
|
||
last set of roots checked in 6/20
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•