Open Bug 1136702 Opened 9 years ago Updated 2 years ago

"thawte Primary Root CA" autority certificate causes SSL problems

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
36 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: vlivanov, Unassigned)

Details

Attachments

(1 file)

Pictures.docx - shows the screenshots
73.17 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150222232811

Steps to reproduce:

Firefox 35.0.1 has cert8.db file contents:
C:\Users\...\AppData\Roaming\Mozilla\Firefox\Profiles\rlmnx0s4.default>e:tools\certutil.exe -d . -L
Google Internet Authority G2                                 ,,
DigiCert High Assurance CA-3                                 ,,
DigiCert High Assurance EV CA-1                              ,,
VeriSign Class 3 Secure Server CA - G3                       ,,
GeoTrust SSL CA                                              ,,
GeoTrust Global CA                                           ,,
DigiCert SHA2 Secure Server CA                               ,,

The certificates in question are shown on attached file BeforeUpdate.png.

After update to 36.0 cert8.db file contents:
C:\Users\...\AppData\Roaming\Mozilla\Firefox\Profiles\rlmnx0s4.default>e:tools\certutil.exe -d . -L
Google Internet Authority G2                                 ,,
DigiCert High Assurance CA-3                                 ,,
DigiCert High Assurance EV CA-1                              ,,
VeriSign Class 3 Secure Server CA - G3                       ,,
GeoTrust SSL CA                                              ,,
Thawte SSL CA                                                ,,
thawte Primary Root CA                                       ,,
GeoTrust Global CA                                           ,,
DigiCert SHA2 Secure Server CA                               ,,

The certificates in question are shown on attached file AfterUpdate.png.

Both certificates "thawte Primary Root CA" (shown on AfterUpdate.png ) are with same: Public Key (RSA2048), Subject, Key Identifier.



Actual results:

Firefox SSL stops working (hangs) if there are more than one PKCS#11 security module loaded.
Deleting the “thawte Primary Root CA [Software Security Device]” solves the SSL hang problem.


Expected results:

Just to notice that this duplicate certificate doesn't exist if Firefox 36.0 has clean installation (not update). Hence the SSL hang problem doesn't exist.
So the expected results of updated Firefox should be the same as clean installed Firefox 36.0.
Component: Untriaged → Security
Summary: Duplicate certificate blocks Client SSL → "thawte Primary Root CA" autority certificate causes SSL problems
This is easily reproduced with at least two  PKCS#11 libraries from any of these: Cryptovision, Bit4ID, Gemalto, Charismathics and so on, and one SSCD(smart card). 

If the "thawte Primary Root CA" is in "cert8.db" file, after asking for PIN and selecting the proper certificate (stored on the smart card) the SSL takes forever and never finishes.

If the "thawte Primary Root CA" is removed from "cert8.db" file the SSL is established successfully.

I suspect that the core of the problem is the matching "Public Key", "Subject" and "Key Identifier" of "thawte Primary Root CA" certificates - "Buildin Object Token" and "Software Security Device". Latest is stored in "cert8.db" during Firefox update process together with "Thawte SSL CA" certificate.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: