All users were logged out of Bugzilla on October 13th, 2018

Intermediate CAs are not being retrieved/parsed correctly when a root CA is marked as untrusted.

RESOLVED DUPLICATE of bug 585352

Status

()

RESOLVED DUPLICATE of bug 585352
4 years ago
3 years ago

People

(Reporter: marc.thomas-8ge8me2, Unassigned)

Tracking

31 Branch
x86
Windows Vista
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
When visiting an https site that uses a CA marked as untrusted Firefox issues 

Error code: sec_error_unknown_issuer

when it should be issuing

Error code: sec_error_untrusted_issuer

This problem also causes the certificate viewer to be inconsistent in displaying the full certificate hierarchy often only listing the site's certificate.

This problem is not present in Firefox 30 nor in Firefox 31 when "security.use_mozillapkix_verification" is set to false.
Do you have an url or certificate illustrating this issue?
Flags: needinfo?(marc.thomas-8ge8me2)
(Reporter)

Comment 2

4 years ago
The issue does not appear to be specific to a particular site or cert. To reproduce the issue in Firefox 31:

1.  create a new profile

2.  click options > advanced tab > certificates tab > view certificates button

3.  from the certificate manager's authorities tab disable trust in all certs (or at least disable the authorities used by the site in step 4)

4.  visit any https site whose CA has been disabled (the site should be one that does not support HSTS as the ability to add an exception may be disabled)

5.  the "untrusted connection" warning page should be displayed

6.  clicking "Technical Details" will incorrectly show "Error code: sec_error_unknown_issuer" instead of "Error code: sec_error_untrusted_issuer"

7.  click "I Understand the Risks" then the add exception button

8.  click the view button on the "add security exception" dialog

9.  click the details tab of the certificate viewer

10. the certificate hierarchy box will only display the site's cert instead of the full certificate chain.

The issues in steps 6 and 10 will not occur if after step 1 you set "security.use_mozillapkix_verification" to false in about:config or if you use Firefox 30.
Flags: needinfo?(marc.thomas-8ge8me2)

Comment 3

3 years ago
Thanks for filing the bug. This is basically a combination of two existing bugs.

(In reply to marc.thomas-8ge8me2 from comment #0)
> When visiting an https site that uses a CA marked as untrusted Firefox
> issues 
> 
> Error code: sec_error_unknown_issuer
> 
> when it should be issuing
> 
> Error code: sec_error_untrusted_issuer

This is Bug 585352. Basically, sec_error_unknown_issuer is correct here, because there is no UI within Firefox to actually mark any sort of certificate as distrusted. You can only removed explicit trust (such as in the Comment 2 STR).

> This problem also causes the certificate viewer to be inconsistent in
> displaying the full certificate hierarchy often only listing the site's
> certificate.

This is Bug 481656.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 585352
You need to log in before you can comment on or make changes to this bug.