Open
Bug 1136702
Opened 9 years ago
Updated 2 years ago
"thawte Primary Root CA" autority certificate causes SSL problems
Categories
(Firefox :: Security, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: vlivanov, Unassigned)
Details
Attachments
(1 file)
73.17 KB,
application/vnd.openxmlformats-officedocument.wordprocessingml.document
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Build ID: 20150222232811 Steps to reproduce: Firefox 35.0.1 has cert8.db file contents: C:\Users\...\AppData\Roaming\Mozilla\Firefox\Profiles\rlmnx0s4.default>e:tools\certutil.exe -d . -L Google Internet Authority G2 ,, DigiCert High Assurance CA-3 ,, DigiCert High Assurance EV CA-1 ,, VeriSign Class 3 Secure Server CA - G3 ,, GeoTrust SSL CA ,, GeoTrust Global CA ,, DigiCert SHA2 Secure Server CA ,, The certificates in question are shown on attached file BeforeUpdate.png. After update to 36.0 cert8.db file contents: C:\Users\...\AppData\Roaming\Mozilla\Firefox\Profiles\rlmnx0s4.default>e:tools\certutil.exe -d . -L Google Internet Authority G2 ,, DigiCert High Assurance CA-3 ,, DigiCert High Assurance EV CA-1 ,, VeriSign Class 3 Secure Server CA - G3 ,, GeoTrust SSL CA ,, Thawte SSL CA ,, thawte Primary Root CA ,, GeoTrust Global CA ,, DigiCert SHA2 Secure Server CA ,, The certificates in question are shown on attached file AfterUpdate.png. Both certificates "thawte Primary Root CA" (shown on AfterUpdate.png ) are with same: Public Key (RSA2048), Subject, Key Identifier. Actual results: Firefox SSL stops working (hangs) if there are more than one PKCS#11 security module loaded. Deleting the “thawte Primary Root CA [Software Security Device]” solves the SSL hang problem. Expected results: Just to notice that this duplicate certificate doesn't exist if Firefox 36.0 has clean installation (not update). Hence the SSL hang problem doesn't exist. So the expected results of updated Firefox should be the same as clean installed Firefox 36.0.
Reporter | ||
Updated•9 years ago
|
Component: Untriaged → Security
Reporter | ||
Updated•9 years ago
|
Summary: Duplicate certificate blocks Client SSL → "thawte Primary Root CA" autority certificate causes SSL problems
This is easily reproduced with at least two PKCS#11 libraries from any of these: Cryptovision, Bit4ID, Gemalto, Charismathics and so on, and one SSCD(smart card). If the "thawte Primary Root CA" is in "cert8.db" file, after asking for PIN and selecting the proper certificate (stored on the smart card) the SSL takes forever and never finishes. If the "thawte Primary Root CA" is removed from "cert8.db" file the SSL is established successfully. I suspect that the core of the problem is the matching "Public Key", "Subject" and "Key Identifier" of "thawte Primary Root CA" certificates - "Buildin Object Token" and "Software Security Device". Latest is stored in "cert8.db" during Firefox update process together with "Thawte SSL CA" certificate.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•