Closed
Bug 1159471
Opened 10 years ago
Closed 8 years ago
https://bankruptcylink.com/ does not send intermediate certificate and chains to a root certificate that didn't sign it
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
FIXED
May
People
(Reporter: KaiE, Unassigned)
References
Details
Attachments
(2 files)
First, please DON'T ask the operator of that site to fix their site. It's the only site I know with this error, so we'll need it in its current incorrect state to debug Firefox.
This is about:
https://bankruptcylink.com/
If you connect to the site with a FRESH PROFILE, I get
bad_signature
Another user reported they get
invalid_ca_cert
I see the server is configured incorrectly, it doesn't send the intermediate.
If I use an NSS diagnostic utility to connect, I get the expected error
unknown_issuer
So, for whatever reason, mozilla::pkix concludes the server's cert is bad, and worse than not having an issuer.
However, the following is surprising to me.
In the above fresh profile, visit the following link to install the intermediate:
http://www.netsolssl.com/NetworkSolutions_CA.crt
Don't check any checkboxes. Just confirm with OK, which will import the intermediate, but doesn't add any trust.
Now, load the site again
https://bankruptcylink.com/
To my surprise, the site now works.
It seems like an incorrect reporting of the reason for rejection when the intermediate is missing.
Comment 1•10 years ago
|
||
The root certificate that is included in NSS's certificate database has a public key that is different than the public key used to sign the certificate. The intermediate you linked to has the public key that was used to sign the certificate. Both certificates have the same subject name, so the end-entity certificate chains to both of them. When mozilla::pkix only has the root certificate and not the intermediate, the signature verification fails. When mozilla::pkix has both certificates available, it tries both and finds the one that works.
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Target Milestone: --- → May
Version: 38 Branch → Trunk
Updated•10 years ago
|
Summary: mozilla::pkix unexpected bad_signature/ca_cert_invalid with TLS server that lacks intermediate → https://bankruptcylink.com/ does not send intermediate certificate and chains to a root certificate that didn't sign it
Reporter | ||
Comment 2•10 years ago
|
||
Thanks for the analysis, it's the first time I encounter a scenario like this.
Did any CA violate any rules, by issueing this intermediate with the same subject as a builtin root but with a different key?
Reporter | ||
Comment 3•10 years ago
|
||
Documenting the server's current certificate.
Reporter | ||
Comment 4•10 years ago
|
||
Documenting the helpful intermediate.
Comment 5•10 years ago
|
||
Not sure why I was CC'd - perhaps because of Comment #2?
The answer is no.
Comment 6•10 years ago
|
||
(In reply to Ryan Sleevi from comment #5)
> Not sure why I was CC'd - perhaps because of Comment #2?
>
> The answer is no.
Right.
OTOH, that's supposedly the same CA, with the same certificate population, and this isn't reflected by checking the CRLs:
http://crl.netsolssl.com/NetworkSolutions_CA.crl
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
There should be no security problem here, because they don't chain back to the same TA. But I don't think it's by design.
Comment 7•9 years ago
|
||
So what is the next step with this bug? The issue still exists, should we contact the site?
Comment 8•8 years ago
|
||
This site loads fine for me in a clean profile -- seems fixed.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kaie)
Resolution: --- → FIXED
Reporter | ||
Comment 9•8 years ago
|
||
This is site evangelism. I confirm the site sends out a chain of intermediates, so if it works, nothing remains to be done.
Flags: needinfo?(kaie)
Assignee | ||
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•