Sites using Network Solutions LLC SSL certs are not available

RESOLVED DUPLICATE of bug 1189145

Status

()

Core
Security: PSM
RESOLVED DUPLICATE of bug 1189145
3 years ago
3 years ago

People

(Reporter: Valerius, Unassigned)

Tracking

36 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8584761 [details]
error.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150320202338

Steps to reproduce:

Fresh installment of Windows 7 64bit
New installation of FF 36.0.4

Start Firefox 36.0.4, open https://api.boardreader.com/v1/Boards/

Workaround exists (though it had broken my mind): go to the the Options -> Advanced -> View Certificates -> CA -> find Network Solutions, LLC and remove it).

The main problem is possibly that I cannot ignore this CA error and it's impossible to open the HTTPS-protected site at all.


Actual results:

The site won't open sec_error_bad_signature (and no way to ignore this)


Expected results:

I should see the XML reply:
<Response><Request/><Error><ErrorMsg>Internal server error</ErrorMsg></Error></Response>
(The errro is OK since we did not provide the required API parameters)

Comment 1

3 years ago
the website server looks broken, i cannot reach it...
(Reporter)

Comment 2

3 years ago
(In reply to Loic from comment #1)
> the website server looks broken, i cannot reach it...

Sorry, my bad.
I think api.boardreader.com is not allowed publicly because of the firewall.
The same cert is used e.g. for https://manage.boardreader.com/, please try this URL instead.
The problem is exactly the same.

Comment 3

3 years ago
WFM but this website a really a poor security level:
https://www.ssllabs.com/ssltest/analyze.html?d=manage.boardreader.com

RC4 cipher suite, SSL3, SHA1 as signature algorithm, plus mixed content.

Updated

3 years ago
Component: Untriaged → Security: PSM
Product: Firefox → Core
(Reporter)

Comment 4

3 years ago
Created attachment 8585583 [details]
Screenshot from Ubuntu desktop

The problem can also be repeated on Ubuntu
(Reporter)

Comment 5

3 years ago
Hello,

> WFM but this website a really a poor security level:
> https://www.ssllabs.com/ssltest/analyze.html?d=manage.boardreader.com
> RC4 cipher suite, SSL3, SHA1 as signature algorithm, plus mixed content.

I think the overall site secutity should not be a problem (we actually don't care at the moment),
but we've been able to repeat the same problem on Ubuntu.

The main issue is that one can do nothing to access the HTTPS-protected page: it's impossible even to add it to the list of security exceptions.

I've attached the screenshot from the Ubuntu desktop my collegue just sent me.
(Sorry, the URL in the screenshot is not publicly available but you can use https://manage.boardreader.com/ with the same effect).
(Reporter)

Comment 6

3 years ago
> Sorry, the URL in the screenshot is not publicly available

Update:

It's now available, feel free to check (normally it should pop up the HTTP Auth form, but with this SSL problem it won't get you even to the auth form stage).
As far as I can tell, manage.boardreader.com isn't sending any intermediate certificates. What could be happening is your profile has a cached intermediate with the same subject as the issuer of the server certificate ("C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority") but with a different public key. Attempting to verify the signature with that intermediate won't work, and since the browser can't find any other potential issuers, the error returned is sec_error_bad_signature. If the server is configured to include the appropriate intermediate certificate(s), the connection should succeed. These tools might be helpful: https://whatsmychaincert.com/ https://github.com/cloudflare/cfssl
(Reporter)

Comment 8

3 years ago
David,

Yes, the 'incomplete certificate' looks to be the root of all evil.
However, the above-mentioned sites fail to open on clean profile (on a clean OS installation actually).
The workaround is also strange (go to Certificate Authorities page and remove Network Solutions LLC).

I think FF should be able to handle this better, at least other browsers do (I've tried Chrome and IE11).

Updated

3 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1189145
You need to log in before you can comment on or make changes to this bug.