some www.skype.com IPs don't include the appropriate intermediate certificate (and others include the anchor)

RESOLVED FIXED

Status

--
major
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: hsivonen, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8718973 [details]
Invalid cert saved from Windows 10

Steps to reproduce:

1) Navigate to https://www.skype.com in Firefox 44 on Windows 10.

Actual results:
sec_error_unknown_issuer and the certificate viewer shows only the leaf in the chain.

Expected results:
Successful connection.

Additional info:
Edge and Chrome connect OK. Nightly on Ubuntu 15.10 x86_64 connects OK and shows the certificate chain. Exporting the leaf from Firefox 44 on Windows 10 and Nightly on Ubuntu 15.10 result in identical files.

https://www.ssllabs.com/ssltest/analyze.html?d=skype.com&s=65.55.157.237 says that the server sends the leaf, an intermediate and even the root cert, so it's not a matter of a missing intermediate being cached or not. (I checked that the SHA-1 fingerprint matches on ssllabs and in Firefox.)
(Reporter)

Updated

3 years ago
Version: 45 Branch → 44 Branch
(Reporter)

Comment 1

3 years ago
Oh, and I saw this on two distinct Windows 10 boxes.
Have you installed firefox after you have installed any antivirus that does so called "internet security" ?
(In reply to Henri Sivonen (:hsivonen) from comment #0)
> https://www.ssllabs.com/ssltest/analyze.html?d=skype.com&s=65.55.157.237
> says that the server sends the leaf, an intermediate and even the root cert,

These three don't, though:

https://www.ssllabs.com/ssltest/analyze.html?d=skype.com&s=157.56.198.10
https://www.ssllabs.com/ssltest/analyze.html?d=skype.com&s=157.56.114.105
https://www.ssllabs.com/ssltest/analyze.html?d=skype.com&s=111.221.123.232
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Summary: sec_error_unknown_issuer for www.skype.com → some www.skype.com IPs don't include the appropriate intermediate certificate (and others include the anchor)
Version: 44 Branch → unspecified
(Reporter)

Comment 4

3 years ago
(In reply to Honza Bambas (:mayhemer) from comment #2)
> Have you installed firefox after you have installed any antivirus that does
> so called "internet security" ?

No, the only anti-virus that's ever been on either of these Windows 10 installations is the built-in one.
According to https://www.ssllabs.com/ssltest/analyze.html?d=skype.com
it seems that everything has been fixed.
Thanks Henri
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.