Closed
Bug 787868
Opened 12 years ago
Closed 12 years ago
StartCom CA certificate with different hash is cached, preventing verification of subsequent startcom-signed certificates
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dan, Unassigned)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0 Iceweasel/15.0 Build ID: 20120829073406 Steps to reproduce: 1. Start Firefox 2. Browse to https://isig.org.nz/ -> Error: sec_error_untrusted_issuer 3. Browse to https://startssl.com/ -> Error: sec_error_untrusted_issuer 4. Restart Firefox 5. Browse to https://startssl.com/ -> Success 6. Browse to https://isig.org.nz/ -> Error: sec_error_untrusted_issuer Actual results: Failure at steps 2, 3, 6. Expected results: Success at all steps. See also bug 784296, bug 479508, bug 602750, bug 751960. From what I can tell, https://isig.org.nz/ serves a CA-certificate with sha256withRSA, and Firefox has a sha1withRSA in its store (with the same public key).
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
openssl s_client </dev/null -CApath /etc/ssl/ -connect startssl.com:https -showcerts
Reporter | ||
Comment 3•12 years ago
|
||
openssl s_client </dev/null -CApath /etc/ssl/ -connect isig.org.nz:https -showcerts
Updated•12 years ago
|
Component: Untriaged → Security: PSM
Product: Firefox → Core
Comment 4•12 years ago
|
||
Visiting https://isig.org.nz/ works fine for me using FF 15.0.1. https://startssl.com/ now uses an EV cert signed by "StartCom Extended Validation Server CA" so I could not reproduce your case. https://isig.org.nz/ now serves a SHA1 certificate. Is this still a problem for you?
Reporter | ||
Comment 5•12 years ago
|
||
I no longer get the reported behaviour. I'm now able to browse to https://isig.org.nz/ without error. I'll close this bug, but please feel free to re-open if you think it merits further investigation.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•