787868 - StartCom CA certificate with different hash is cached, preventing verification of subsequent startcom-signed certificates

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, defect)

Description

[Dan Wallis]

User Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0 Iceweasel/15.0
Build ID: 20120829073406

Steps to reproduce:

1. Start Firefox
2. Browse to https://isig.org.nz/ -> Error: sec_error_untrusted_issuer
3. Browse to https://startssl.com/ -> Error: sec_error_untrusted_issuer
4. Restart Firefox
5. Browse to https://startssl.com/ -> Success
6. Browse to https://isig.org.nz/ -> Error: sec_error_untrusted_issuer


Actual results:

Failure at steps 2, 3, 6.


Expected results:

Success at all steps.

See also bug 784296, bug 479508, bug 602750, bug 751960.


From what I can tell, https://isig.org.nz/ serves a CA-certificate with sha256withRSA, and Firefox has a sha1withRSA in its store (with the same public key).

Comment 1

[Dan Wallis]

Attachment: StartCom CA certificate from Firefox store

Comment 2

[Dan Wallis]

Attachment: Certificate chain from https://startssl.com/

openssl s_client </dev/null -CApath /etc/ssl/ -connect startssl.com:https -showcerts

Comment 3

[Dan Wallis]

Attachment: Certificate chain from https://isig.org.nz/

openssl s_client </dev/null -CApath /etc/ssl/ -connect isig.org.nz:https -showcerts

Comment 4

[Richard van den Berg]

Visiting https://isig.org.nz/ works fine for me using FF 15.0.1. https://startssl.com/ now uses an EV cert signed by "StartCom Extended Validation Server CA" so I could not reproduce your case. https://isig.org.nz/ now serves a SHA1 certificate.

Is this still a problem for you?

Comment 5

[Dan Wallis]

I no longer get the reported behaviour. I'm now able to browse to https://isig.org.nz/ without error. I'll close this bug, but please feel free to re-open if you think it merits further investigation.