Closed
Bug 1204240
Opened 9 years ago
Closed 7 years ago
www.htcdev.com does not send intermediate certificate
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: florian.schmidt.welzow, Unassigned)
References
()
Details
(Whiteboard: [sitewait])
Attachments
(1 file)
1.90 KB,
application/x-x509-ca-cert
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 Steps to reproduce: Open https://www.htcdev.com/ which uses a certificate from Taiwan CA (TWCA) for it's TLS secured connection. Actual results: The certificate is rejected, because it was issued by an unknown issuer (sec_error_unknown_issuer). Expected results: The certificate is trusted in other browsers (Google Chrome) and the Root CA is in the list of trusted CA's in FF (TWCA Root CA). The certificate itself was issued by "TWCA Secure SSL Certification Authority" which certificate was issued by "TWCA Global Root CA" (trusted root CA). I'll attach the retrieved certificate at the time I opened the page.
Comment 1•9 years ago
|
||
It looks like multiple servers serve https://www.htcdev.com/. https://www.ssllabs.com/ssltest/analyze.html?d=www.htcdev.com&s=107.20.157.254 > Entrust Certification Authority - L1C > 2 Extra download Fingerprint: c53e73073f93ce7895de7484126bc303dab9e657 > Entrust.net Certification Authority (2048) Self-signed > 3 In trust store Fingerprint: 503006091d97d4f5ae39f7cbe7927d7d652d3431 Not particularly interesting since this server uses Entrust certs. https://www.ssllabs.com/ssltest/analyze.html?d=www.htcdev.com&s=184.73.227.95 https://www.ssllabs.com/ssltest/analyze.html?d=www.htcdev.com&s=107.20.235.140 > TWCA Secure SSL Certification Authority > 2 Extra download Fingerprint: 0a72efd660fd34f254e66a8595ba81e60a754e68 > RSA 2048 bits (e 65537) / SHA256withRSA > TWCA Global Root CA Self-signed > 3 In trust store Fingerprint: 9cbb4853f6a4f6d352a4e83252556013f5adaf65 > RSA 4096 bits (e 65537) / SHA256withRSA Two things to note: 1. The "Extra download" part above: the server is not correctly configured to send intermediate certs. 2. The "TWCA Global Root CA" root cert that the server cert chains up to does in fact match the one in the FF root store (see the SHA-1 fingerprints): - https://hg.mozilla.org/mozilla-central/annotate/2f1a37cb43ac/security/nss/lib/ckfw/builtins/certdata.txt#l26108 - https://hg.mozilla.org/releases/mozilla-aurora/annotate/2f1a37cb43ac/security/nss/lib/ckfw/builtins/certdata.txt#l26108 - https://hg.mozilla.org/releases/mozilla-beta/annotate/aa275ad846f1/security/nss/lib/ckfw/builtins/certdata.txt#l26867 - https://hg.mozilla.org/releases/mozilla-release/annotate/aa275ad846f1/security/nss/lib/ckfw/builtins/certdata.txt#l26867 => This is really a server configuration issue. Other browsers might work fine if they do AIA cert fetching, but servers are still supposed to send their intermediate certs.
Status: UNCONFIRMED → NEW
Component: Security: PSM → Desktop
Ever confirmed: true
Product: Core → Tech Evangelism
Summary: TWCA Root CA in FF differs from the one provided on the website → www.htcdev.com does not send intermediate certificate
Version: 40 Branch → unspecified
To make sure (maybe it's already clear): I'm not the operator of htcdev.com or any associated company, I'm a user :) It's "just" confusing, if a page works fine in one browser and doesn't work (without any certificate exception) in another browser.
Comment 3•8 years ago
|
||
There is a form to contact the Web site to push them to adjust their certificates. https://www.htcdev.com/contact Feel free to contact them. I'm adding the keyword contactready If you do contact, please switch to sitewait
Whiteboard: [contactready]
Comment 4•8 years ago
|
||
I tried contacting using the form, but I'm pretty sure it didn't go through. Tried multiple times and the page take a long time to respond, then navigates to a blank page. If someone else wants to give it a shot, that'd be helpful.
Comment 5•8 years ago
|
||
I filed a issue using the form and received a email with tracking number.
Updated•7 years ago
|
Whiteboard: [contactready] → [sitewait]
Seems to be fixed now.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•