1204240 - www.htcdev.com does not send intermediate certificate

Status: RESOLVED WORKSFORME

(Web Compatibility :: Site Reports, defect)

Description

[Florian]

Attachment: htcdev.com.crt

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36

Steps to reproduce:

Open https://www.htcdev.com/ which uses a certificate from Taiwan CA (TWCA) for it's TLS secured connection.


Actual results:

The certificate is rejected, because it was issued by an unknown issuer (sec_error_unknown_issuer).


Expected results:

The certificate is trusted in other browsers (Google Chrome) and the Root CA is in the list of trusted CA's in FF (TWCA Root CA). The certificate itself was issued by "TWCA Secure SSL Certification Authority" which certificate was issued by "TWCA Global Root CA" (trusted root CA).

I'll attach the retrieved certificate at the time I opened the page.

Comment 1

[:Cykesiopka]

It looks like multiple servers serve https://www.htcdev.com/.

https://www.ssllabs.com/ssltest/analyze.html?d=www.htcdev.com&s=107.20.157.254
>                   Entrust Certification Authority - L1C
> 2 Extra download  Fingerprint: c53e73073f93ce7895de7484126bc303dab9e657

>                   Entrust.net Certification Authority (2048)   Self-signed	
> 3 In trust store  Fingerprint: 503006091d97d4f5ae39f7cbe7927d7d652d3431

Not particularly interesting since this server uses Entrust certs.

https://www.ssllabs.com/ssltest/analyze.html?d=www.htcdev.com&s=184.73.227.95
https://www.ssllabs.com/ssltest/analyze.html?d=www.htcdev.com&s=107.20.235.140
>                   TWCA Secure SSL Certification Authority
> 2 Extra download  Fingerprint: 0a72efd660fd34f254e66a8595ba81e60a754e68
>                   RSA 2048 bits (e 65537) / SHA256withRSA
>                   TWCA Global Root CA   Self-signed	
> 3 In trust store  Fingerprint: 9cbb4853f6a4f6d352a4e83252556013f5adaf65
>                   RSA 4096 bits (e 65537) / SHA256withRSA 

Two things to note:
1. The "Extra download" part above: the server is not correctly configured to send intermediate certs.
2. The "TWCA Global Root CA" root cert that the server cert chains up to does in fact match the one in the FF root store (see the SHA-1 fingerprints):
    - https://hg.mozilla.org/mozilla-central/annotate/2f1a37cb43ac/security/nss/lib/ckfw/builtins/certdata.txt#l26108
    - https://hg.mozilla.org/releases/mozilla-aurora/annotate/2f1a37cb43ac/security/nss/lib/ckfw/builtins/certdata.txt#l26108
    - https://hg.mozilla.org/releases/mozilla-beta/annotate/aa275ad846f1/security/nss/lib/ckfw/builtins/certdata.txt#l26867
    - https://hg.mozilla.org/releases/mozilla-release/annotate/aa275ad846f1/security/nss/lib/ckfw/builtins/certdata.txt#l26867

=> This is really a server configuration issue. Other browsers might work fine if they do AIA cert fetching, but servers are still supposed to send their intermediate certs.

Comment 2

[Florian]

To make sure (maybe it's already clear): I'm not the operator of htcdev.com or any associated company, I'm a user :)

It's "just" confusing, if a page works fine in one browser and doesn't work (without any certificate exception) in another browser.

Comment 3

[Karl Dubost💡 :karlcow]

There is a form to contact the Web site to push them to adjust their certificates.
https://www.htcdev.com/contact

Feel free to contact them.
I'm adding the keyword contactready
If you do contact, please switch to sitewait

Comment 4

[Adam Stevenson [:adamopenweb]]

I tried contacting using the form, but I'm pretty sure it didn't go through. Tried multiple times and the page take a long time to respond, then navigates to a blank page.

If someone else wants to give it a shot, that'd be helpful.

Comment 5

[Eric Tsai (no more review request accepted)]

I filed a issue using the form and received a email with tracking number.

Comment 6

[sjw]

Seems to be fixed now.